Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Data Classification and Discovery
  • Welcome to Nightfall Documentation
  • Release Notes
    • Release Notes 2025
    • Release Notes 2021-2024
  • Introduction
    • Why Cloud DLP?
    • Introduction to Nightfall
    • Nightfall Overview
    • Cloud-native DLP vs. CASB
    • How Nightfall Works
    • Reasons to Choose Nightfall
    • Benefits of Nightfall
  • Compliance
    • How Nightfall Fits into Compliance Frameworks
    • ISO 27001 Compliance + DLP
    • SOC 2 Compliance + DLP
    • PCI Compliance + DLP
    • PHI Detector - More on Nightfall's HIPAA Compliance Detector
  • Getting Started
    • Installing Nightfall
  • Nightfall Detection Platform
    • Overview
    • Detectors
    • Choosing a Nightfall Detector
      • Compliance Use Cases
      • Data Protection Use Cases
    • Nightfall Detector Glossary
      • Secrets Detection
    • Creating Custom Detectors
      • Creating Dictionary Detector
      • Create File Type Detector
      • Create File Fingerprint Detector
      • Create Regular Expression Detector
      • Extend a Nightfall Detector
    • Create Detection Rules
    • Detection Platform Overview
    • Evaluating Detection
    • Creating Policies
      • Selecting Integration
      • Scope of the Policy
      • Detection Rules
      • Advanced Settings
      • Name and Risk Score
    • Historical Scan Detection Rules
    • Regex Library
    • Detection Platform FAQs
      • How can I reduce false positives in my findings?
      • What do different “Confidence Levels” mean?
      • What file types will Nightfall scan for sensitive data? What are the limitations?
      • How do I use Context Rules?
      • How do I use Exclusion Rules?
      • Does Nightfall have a regex library I can choose from?
      • Why does Nightfall sometimes miss to report SSN, credit card number, and so on?
      • Why does the Password Detector Report False Positive Zoom Password Findings?
  • Nightfall Detection & Policy Templates
    • Detection Rules
    • Nightfall Sample Data Sets
  • Dashboard and Events
    • Nightfall Dashboard
    • Sensitive Data Protection Events
      • Filtering Events
      • Event Filter Operators
      • Applying Actions on Events
      • Applying Bulk Actions on Events
      • Event Status
      • Deduplication and Automatic Resolution of Events
  • Setting up Alert Platforms
    • Nightfall Alert Platforms
    • Setting up Slack as an Alert Platform
    • Setting up Jira as an Alert Platform
    • Setting up MS Teams as an Alert Platform
  • Operationalizing Nightfall DLP
    • Playbook
    • Informing & Coaching Business Users
    • Alert Management Guiding Principles
    • Integrating with Security Tools
      • Integrating with SIEM
        • Integrating with Microsoft Sentinel
      • Creating Dashboards for Nightfall Alerts in Splunk
      • Creating Dashboards for Nightfall Alerts in Sumo Logic
      • Sending Alerts to Microsoft Teams
    • Frequently Asked Questions (FAQs) for End-Users
  • Nightfall Integrations
  • Nightfall for Slack
    • Nightfall for Slack: Quick Start
    • Getting Started With Nightfall for Slack
      • Requirements
        • Requirements for Nightfall DLP for Slack Enterprise
        • Requirements for Nightfall DLP for Slack Pro and Slack Business+
      • Installing Nightfall for Slack
        • Installing Nightfall DLP for Slack Enterprise
        • Installing Nightfall DLP for Slack Pro and Business+
    • Configure Alerts for Slack
    • Configuring Policies for Slack Pro and the Slack Business+ Editions
      • Slack Pro and Business+ App Selection
      • Configure Scope for Slack Pro and Slack Business+
      • Configure Detection Rules for Slack Pro and Slack Business+
      • Configure Automated Actions in Slack Pro and Slack Business+
      • Configure Advanced Settings in Slack Pro and Slack Business+
      • Risk Configuration in Slack DLP for Slack Pro and Slack Business+ Editions
      • Manage Events for Slack
    • Configuring Policies for the Slack Enterprise Edition
      • Slack App Selection
      • Configure Scope for Slack Enterprise
      • Select Detection Rules for Slack Enterprise
      • Configure Automated Actions in Slack Enterprise
      • Configure Advanced Settings for Slack Enterprise
      • Risk Configuration for Slack Enterprise
      • Manage Events for Slack Enterprise
    • FAQs
      • Can I redact sensitive message content in Slack?
      • Nightfall for Slack Pro vs Enterprise
        • Upgrading from Slack Pro to Enterprise
      • Can we customize the alert messages sent in Slack?
      • Can I Disable Detection in Private Channels or DMs?
      • What types of channels does Nightfall scan? Does Nightfall scan shared channels?
      • I am unable to view a sensitive message or file from the Nightfall alert channel.
      • Upon Slack installation, why am I seeing a 400 error mentioning a "Restricted Action"?
      • I send a sensitive message, edit it, and then admin applies the Redact action. What is the outcome?
      • How do I re-install Nightfall DLP for Slack Pro Edition?
      • How do I re-install Nightfall DLP for Slack Enterprise Edition?
  • Nightfall for GitHub
    • Getting Started
      • Requirements
      • Install Nightfall for GitHub
      • Configure Alerts for GitHub
    • Configure Policies for GitHub
      • GitHub App Selection
      • Configure Scope for GitHub
        • Use Regular Expressions to Exclude GitHub Directories
      • Configure Detection Rules for GitHub
      • Configure Advanced Settings for GitHub
      • Configure Risk Score for GitHub
    • Manage GitHub Events
    • Remediation on Nightfall for Github
  • NIGHTFALL FOR GOOGLE DRIVE
    • Getting Started
      • Requirements
      • Install Nightfall for Google Drive
      • Enable Google Drive Labels
      • Configure Alerts for Google Drive
    • Configure Policies for Google Drive
      • Google Drive App Selection
      • Configure Scope for Google Drive
      • Configure Detection Rules for Google Drive
      • Configure Advanced Settings for Google Drive
      • Risk Score for Google Drive
      • Manage Google Drive Events
  • Nightfall for Confluence
    • Getting Started
    • Install Nightfall for Confluence
      • Configure Alerts for Confluence
    • Configuring Policies for Confluence
      • Confluence App Selection
      • Configure Scope for Confluence
      • Configure Detection Rules for Confluence
      • Configure Advanced Settings for Confluence
      • Configure Risk Score for Confluence
      • Manage Confluence Events
    • FAQs
      • Page Restrictions
  • Nightfall for jira
    • Getting Started
    • Install Nightfall for Jira
      • Configuring Alerts for Jira
    • Configure Policies in Nightfall for Jira
      • Jira App Selection
      • Configure Scope in Nightfall for JIRA
      • Select Detection Rules in Nightfall for JIRA
      • Configuring Advanced Settings in Nightfall for JIRA
      • Configure Risk Score for Jira
      • Manage Jira Events
  • Nightfall for Microsoft 365
    • Getting Started
      • Microsoft 365 Requirements
      • Setting up Directory Sync
      • Setting up Microsoft Tenant
        • Update App Selection for a Registered Tenant
    • Nightfall for OneDrive
      • Configure Alerts for OneDrive
      • Nightfall Policies for OneDrive
        • OneDrive App Selection
        • Configure Scope for OneDrive
        • Configure Detection Rules for OneDrive
        • Configure Advanced Settings for OneDrive
        • Risk Score for OneDrive Policies
        • Manage OneDrive Events
    • Nightfall for Microsoft Teams
      • Configure Alerts for Microsoft Teams
      • Configure Policies for Microsoft Teams
        • Select Integration in Microsoft Teams
        • Configure Scope for Microsoft teams
          • Scope for Personal Chats
          • Scope for MS Teams Channels
        • Configure Detection Rules in Microsoft Teams DLP
        • Configure Advanced Settings in Microsoft Teams
        • Risk Score in Microsoft Teams Policies
        • Manage Microsoft Teams Events
  • Nightfall for Gmail
    • Overview
    • Install Nightfall DLP for Gmail
      • Configure Content Compliance Rules
        • Create Content Compliance Rule - Monitoring
        • Configure Content Compliance Rule - Quarantine
        • Configure Routing Rules - SMTP Relay Settings
    • Configure Alerts for Gmail
    • Nightfall Policies for Gmail
      • Gmail App Selection
      • Configure Scope for Gmail
      • Configure Detection Rules for Gmail
      • Configure Advanced Settings for Gmail
      • Configure Risk Score for Gmail
      • Manage Gmail Events
    • Remediation on Nightfall for Gmail
  • Nightfall For Salesforce
    • Overview
    • Getting Started
      • Install Nightfall DLP for Salesforce
      • Upgrade Nightfall DLP for Salesforce
      • Configure Alerts for Salesforce
    • Nightfall Policies for Salesforce
      • Salesforce App Selection
      • Configure Scope for Salesforce
      • Configure Detection Rules for Salesforce
      • Configure Advanced Settings for Salesforce
      • Risk Score for Salesforce
      • Manage Salesforce Events
    • FAQs
  • Nightfall for Zendesk
    • Getting Started
      • Requirements
      • Install Nightfall DLP for Zendesk
      • Configure Alerts for Zendesk
    • Configure Policies for Zendesk
      • Zendesk App Selection
      • Configure Scope for Zendesk
      • Configure Detection Rules for Zendesk DLP
      • Configure Advanced Settings in Zendesk
      • Risk Score for Zendesk
      • Manage Zendesk Events
  • Nightfall for Notion
    • Getting Started
      • Requirements
      • Steps
    • Install Nightfall for Notion
      • Verification of Notion Installation
    • Configure Alerts for Notion
    • Configure Policies for Notion
      • Notion App Selection
      • Configure Detection Rules for Notion
      • Configure Advanced Settings for Notion
      • Risk Score for Notion
      • Manage Notion Events
  • NIGHTFALL FOR Generative AI Applications
    • Overview
    • Install Nightfall for GenAI apps
      • Install Nightfall DLP on Individual Devices
      • Install Nightfall DLP Across Organization
    • Configure Alerts for GenAI apps
    • Creating GenAI Policies from Nightfall Console
      • AI Apps Selection
      • Configure Detection Rules for AI Apps
      • Configure Advanced Settings for AI Apps
      • Risk Score for AI Apps
    • Nightfall Browser Plugin Deployment Guide
    • GenAI Safe Usage and Data Protection Policy
  • Developer Section
    • Nightfall Firewall for AI
    • Nightfall Playground
  • Settings
    • Users and Roles
      • Authentication Options
    • Role Based Access Control (RBAC)
      • Security Analyst Role
      • Policy Manager Role
      • Security Events Manager Role
      • Security Operations Manager Role
      • System Administrator Role
    • Directory Sync
      • Add Microsoft Entra ID to Nightfall
      • Google Workspace Directory Service
      • Add Okta to Nightfall
    • Custom Branding
    • Customer Referral Program
  • Frequently Asked Questions (FAQs)
    • How long does it take to deploy Nightfall?
    • How do I deploy Nightfall?
    • What are some unique points about Nightfall that I should know?
    • Which languages does Nightfall support?
    • How does Nightfall yield time savings for my team?
    • Nightfall vs Legacy DLP: What's the difference?
    • How does Nightfall make my organization more secure?
    • Nightfall vs CASB: What's the difference?
    • Nightfall vs E-Discovery: What's the difference?
    • How does Nightfall classify data?
    • What types of data does Nightfall classify?
    • Does Nightfall scan unstructured data?
    • Does Nightfall require data to be already tagged?
    • How do I learn more about and test out Nightfall?
    • Using Service Accounts with Nightfall
    • Which permissions are required for each integration?
    • Where can I find active user counts for each SaaS application protected by Nightfall?
    • In the Atlassian Marketplace, why does it show that the Nightfall app is not approved in security?
    • How can I estimate the data volume that Nightfall needs to scan?
    • How can I check the Platform Status of Nightfall
  • Login to Nightfall
  • Contact Nightfall
Powered by GitBook
On this page
  • Adding Detectors to Detection Rule
  • Detection Rule Settings
  • Scope
  • Minimum Confidence
  • Minimum Number of Findings
  • Applying Logical Operators Between Detectors
  • Understanding When the Detection Rule Triggers
  • Testing Detection Rules in Nightfall Playground
  • Prerequisites to use Nightfall Playground
  • Capturing Detection Rule UUID
  • Using the Nightfall Playground

Was this helpful?

Export as PDF
  1. Nightfall Detection Platform

Create Detection Rules

Learn the process of creating detection rules in Nightfall.

PreviousExtend a Nightfall DetectorNextDetection Platform Overview

Last updated 6 months ago

Was this helpful?

As described in the Nightfall Detection Platform once you have finalised the the Detectors to be used or created custom detectors which leverage your organization's sensitive data security requirements, you must add the detectors to a detection rule and then add the detection rule to a policy. You cannot use detectors directly. Detectors become useful only when you add them to a Detection rule and then add the detection rule to a policy.

You can add multiple detectors to a single detection rule. Nightfall does not restrict you on the type of detector that can be added to a detection rule. You can add both, a custom detector and a Nightfall detector to the same detection rule.

You can create multiple detection rules to detect different types of sensitive data. For example, you can add the Password detector to a Detection rule and use it to detect password leaks. You can add the API key detector to another detection rule and use it for detecting API key leaks.

Once you add all the required detectors to the detection rule, Nightfall allows you to test the detection rule in the Nightfall Playground. You can use the Nightfall playground only for testing if the detection rule works as expected. Once you confirm that the detection rule works as expected, you must add the detection rule to policy to leverage your data security requirements. Conversely, you can also have a single detection rule in which you add both Password and API key detectors.

You can access the Detection rules page by clicking Detection from the left pane and then clicking Detection Rules. To create a new Detection rule, you must click the + New Detection Rule button the top right corner.

If you wish to get guidelines from Nightfall on what detectors must be included in your detection rules, refer to the Detection Rules document.

Adding Detectors to Detection Rule

You can add a Detector to the Detection rule by executing the following steps.

  1. Click the + New Detection Rule button the top right corner.

  2. Enter a name for the detection rule in the Name field.

  3. (Optional) Enter a description for the detection rule in the Description field.

  4. Click + Add Detectors to add detectors to the detection rule.

  1. Select the check box for the detectors that you wish to add to the detection rule. You can use the filters to view only the Nightfall detectors or the custom detectors or the search bar to search detectors.

  2. Click Add.

You can see that the selected detectors are added to the detection rule. In the following image two detectors have been added to the Detection rule.

Detection Rule Settings

Once you add the required detectors to the detection rules, you can se that there are three columns; Scope, Minimum Confidence, and Minimum # of Findings. These settings define the weightage of the detector in the detection rule. You must configure these settings for each detector.

These settings are explained in the following sub-sections.

Scope

The Scope setting allows you to define which part of the data the detector must scan. You can configure this setting to scan either the name of the file, the contents of the file or both.

If you select the Content option, this detector only scans the content of the files and not the name of the file, and vice versa, if you select File Name. However, if you select Both, the detector scans the file name as well the contents of the file.

For example, if the API key detector has to scan a Google Drive file and if you select, File Name, then the detector only scans the name of the file to check if the name has any API key. Similarly, if you select Content, then the detector only scans the content of the file and not the name. If you select Both, then the detector scans both; the name and the contents of the file.

Important

If you wish to scan content that is not part of any file, you must either select the Content or Both option.

For example, if you wish to scan direct messages or group messages from Slack or MS Teams, these messages are not part of any files. In such cases, if you select the File Name option, the detector does not detect any violation because it considers direct messages as Content not part of any file. Hence to scan such types of content you must select either Content or Both options.

Minimum Confidence

The minimum confidence setting defines the probability of a detector's findings being actual violations. Nightfall provides you with three Minimum Confidence settings; Possible, Likely, and Very Likely.

The Possible option indicates that there is a 40-60% chance of the Detector's finding being an actual case of data leak, Similarly, the Likely option indicates that there is a 61-80% chance of the Detector's finding being an actual case of data leak. The Very Likely option indicates that there is a 81-100% chance of the Detector's finding being an actual case of data leak.

You can set the Minimum Confidence setting for each detector. When the detector detects any data leak, it is logged in the Sensitive Data Protection Events page with the Minimum Confidence setting configured here.

Minimum Number of Findings

This setting defines the minimum number of data leak cases that a detector must encounter for it to be considered as a Violation by the Detection rule. You must configure this setting for each detector. For example, if you set this setting to 10, the detection rule does not consider the first 9 occurences of data leak encountered by the detector. Detection engine starts considering the 10th and all subsequent cases of data leak to be actual case of violations.

Applying Logical Operators Between Detectors

If a detection rule has a single detector and if that detector detects a data leak, the detection rule is triggered and it is logged as a Finding.

However, when you have multiple detectors in detection rule, you can choose to trigger the detection rule when any of the detector detects a data leak or when all the detectors detect a data leak.

As you can see in the above image, you can choose the flag a Finding of the detection rule either when any single detector detects a data leak or when all the detectors of the detection rule detect a data leak.

Understanding When the Detection Rule Triggers

The above image has two detectors. The following statements hold good.

  • The Scope of both the detectors is set to scan the file content and file name.

  • When any of these detectors detect a data leak, it is logged as a Finding in the Violations page and tagged as Very Likely.

  • The minimum number of findings for each detector is 1. So even if there is a single case of a data leak, a detector rule considers it as a finding.

  • The detection rule is triggered even if a single detector detects a data leak.

Testing Detection Rules in Nightfall Playground

Once you create the detection rule, it is highly recommended that you test the rule to ensure that it returns the expected results, when added to policies. Nightfall provides you with a Playground to test the detection rules.

Prerequisites to use Nightfall Playground

Capturing Detection Rule UUID

Each Detection rule in Nightfall has a UUID. This is a unique ID assigned to each detector when it is created. You cannot edit the UUID of any detector. You must capture this UUID to use it in Playground to test the detection rule.

To capture Detection rule UUID:

  1. Navigate to Detection rules.

  2. Click the detection rule whose UUID has to be captured.

  3. Click the UUID to copy it.

Using the Nightfall Playground

To use the Nightfall playground:

  2. Use either the I'm Scanning Text or I'm Scanning Files tab based on whether you wish to scan text or file.

  1. Replace the existing sample data with your sample data in Step 1: Payload.

  1. Skip Step 2: Pick Detection rule.

  2. Expand Advanced Detection Settings (Optional)

  1. Paste the Nightfall API key in the Nightfall API Key field.

  2. Paste the Detection rule UUID in the Detection Rules field.

  3. Click Start Scan.

If sensitive data is found in the sample data, the Findings section looks as shown in the following image.

  1. Paste the file URL or upload the file in Step 1: Files to scan.

  1. Enter the Email to which the scan results must be sent in the Step 2: Email field.

  1. Skip Step 2: Pick Detection rule.

  2. Expand Advanced Detection Settings (Optional)

  1. Paste the Nightfall API key in the Nightfall API Key field.

  2. Paste the Detection rule UUID in the Detection Rules field.

  3. Click Start Scan.

You must have an API key to use the Nightfall Playground. You can to learn about how to create an API key.

You must have some sample data to test the Detection rule. This has various types of sample data sets that you can use.

Navigate to the .

refer to this document
Nightfall document
Nightfall playground