Ctrlk

DLP APIs - Native SaaS Apps

The native SaaS app APIs can be utilized by customers using Nightfall’s SaaS apps, supported natively, to fetch violations, search violations by app meta-data attributes, and fetch findings within violations. These DLP APIs do not provide access to violations for apps scanned via the developer platform. These APIs require you to create an API key as outlined in the Getting Started with the Developer Platform section. However, to use these APIs, you need not create any detectors, detection rules, and policies in the developer platform.

If you are using Nightfall SaaS apps, you can use APIs to fetch violations, search through the violations, and fetch specific findings within the Violations. To scan data in any custom apps or cloud infrastructure services like AWS S3, you must use the APIs in the DLP APIs - Firewall for AI Platform section.

Fetch violations

get

Fetch a list of violations for a period

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

Responses
200

Successful response

application/json
get
/violations

Fetch violation

get

Fetch a violation by ID

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
violationIdstring · uuidRequired

The UUID of the violation to fetch

Responses
200

Successful response

application/json
get
/violations/{violationId}

Search violations

get

Fetch a list of violations based on some filters

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:
querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

termvalue
clauseuser_email:"[email protected]"
fielduser_email
operator:
value[email protected]

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

  • a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAXUSAGEDESCRIPTIONEXAMPLES
:field:valueExact match operator (case insensitive)state:"pending" returns records where the currency is exactly "PENDING" in a case-insensitive comparison
(space)field1:value1 field2:value2The query returns only records that match both clausesstate:active slack.channel_name:general
ORfield:(value1 OR value2)The query returns records that match either of the values (case insensitive)state:(active OR pending)

Query Fields

paramdescription
statethe violation states to filter on
user_emailthe emails of users updating the resource resulting in the violation
user_namethe usernames of users updating the resource resulting in the violation
integration_namethe integration to filter on
confidenceone or more likelihoods/confidences
policy_idone or more policy IDs
detection_rule_idone or more detection rule IDs
detector_idone or more detector IDs
risk_labelthe risk label to filter on
risk_sourcethe risk determination source to filter on
slack.channel_namethe slack channel names to filter on
slack.channel_idthe slack channel IDs to filter on
slack.workspacethe slack workspaces to filter on
confluence.parent_page_namethe names of the parent pages in confluence to filter on
confluence.space_namethe names of the spaces in confluence to filter on
gdrive.drivethe drive names in gdrive to filter on
jira.project_namethe jira project names to filter on
jira.ticket_numberthe jira ticket numbers to filter on
salesforce.org_namethe salesforce organization names to filter on
salesforce.objectthe salesforce object names to filter on
salesforce.record_idthe salesforce record IDs to filter on
github.author_emailthe github author emails to filter on
github.branchthe github branches to filter on
github.committhe github commit ids to filter on
github.orgthe github organizations to filter on
github.repositorythe github repositories to filter on
github.repository_ownerthe github repository owners to filter on
teams.team_namethe m365 teams team names to filter on
teams.channel_namethe m365 teams channels to filter on
teams.channel_typethe m365 teams channel types to filter on
teams.team_sensitivitythe m365 teams sensitivities to filter on
teams.senderthe m365 teams senders to filter on
teams.msg_importancethe m365 teams importance to filter on
teams.msg_attachmentthe m365 teams attachment names to filter on
teams.chat_idthe m365 teams chat ID to filter on
teams.chat_typethe m365 teams chat type to filter on
teams.chat_topicthe m365 teams chat topic to filter on
teams.chat_participantthe m365 teams chat participant's display name to filter on
onedrive.drive_ownerdrive owner's display name to filter on
onedrive.drive_owner_emaildrive owner's email to filter on
onedrive.file_namethe file name to filter on
onedrive.created_bythe m365 user, who created the file in the drive, display name to filter on
onedrive.created_by_emailthe m365 users, who created the file in the drive, email to filter on
onedrive.modified_bythe m365 users, who last modified the file in the drive, display name to filter on
onedrive.modified_by_emailthe m365 users, who last modified the file in the drive, email to filter on
zendesk.ticket_statusthe zendesk ticket status to filter on
zendesk.ticket_titlethe zendesk ticket titles to filter on
zendesk.ticket_group_assigneethe zendesk ticket assignee groups to filter on
zendesk.current_user_rolethe zendesk ticket current assignee user's roles to filter on
notion.created_bythe names of the users creating a resource in notion to filter on
notion.last_edited_bythe names of the users editing a resource in notion to filter on
notion.page_titlethe page names in notion to filter on
notion.workspace_namethe workspace names in notion to filter on
gmail.user_namethe names of the sender to filter on
gmail.fromthe email of sender to filter on
gmail.tothe email or name of recipients to filter on
gmail.ccthe email or name of cc to filter on
gmail.bccthe email or name of bcc to filter on
gmail.thread_idthe thread id of email to filter on
gmail.subjectthe subject of email to filter on
gmail.attachment_namethe name of attachment to filter on
gmail.attachment_typethe type of attachment to filter on
last_actioned_bythe entity that performed the last action on the violation, can be one of NIGHTFALL, ADMIN or END_USER
Responses
200

Successful response

application/json
get
/violations/search

Fetch violation findings

get

Get findings for a specific violation

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
violationIdstring · uuidRequired

The UUID of the violation

Query parameters
pageTokenstringOptional

Cursor for getting the next page of results

limitinteger · int32 · max: 1000Optional

Number of findings to fetch in one page (max 1000)

Default: 1000
Responses
200

Successful response

application/json
get
/violations/{violationId}/findings

Take an action on Violations

post

Perform an action on a list of violations. If an action can't be performed on a violation, that violation is ignored. Depending on the action, it could be processed immediately or queued.

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Body
violationUUIDsstring · uuid[]Required

The UUIDs of the violations to perform the action on

actionstring · enumRequired

The action to perform on the violations

Possible values:
Responses
200

Successful response (processed immediately)

application/json
post
/violations/actions

Fetch annotation

get

Fetch an annotation by ID

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
annotationIdstring · uuidRequired

The UUID of the annotation to fetch

Responses
200

Successful response

application/json
get
/annotations/{annotationId}

Annotate finding

post

Annotate a finding

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
findingIdstring · uuidRequired

The UUID of the finding to annotate

Body
typestring · enumRequired

The annotation type

Possible values:
commentstringOptional

The comment to add to the annotation

autoApplybooleanOptional

Whether the annotation applies to all findings of this sensitive data (defaults to true)

Default: true
Responses
200

Successful response

application/json
post
/findings/{findingId}/annotate

Remove finding annotation

post

Remove the annotation for a finding

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
findingIdstring · uuidRequired

The UUID of the finding to unannotate

Responses
200

Successful response (even if annotation does not exist)

post
/findings/{findingId}/unannotate
No content

Fetch violation activity feed

get

Fetch the activity feed for a specific violation

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
violationIdstring · uuidRequired

The UUID of the violation

Query parameters
limitinteger · int32 · max: 100Optional

Number of activity items to fetch in one page

Default: 50
createdAfterintegerOptional

Unix timestamp in seconds, filters activity created > the value

createdBeforeintegerOptional

Unix timestamp in seconds, filters activity created < the value

descendingbooleanOptional

Whether to sort results in descending order (default false)

Default: false
pageTokenstringOptional

Cursor for getting the next page of results

Responses
200

Successful response

application/json
get
/violations/{violationId}/activity
PreviousRate Limits for Firewall APIsNextRate Limits for Native SaaS app APIs

Last updated

Was this helpful?