1 of 78

Developer APIs

Welcome to Developer APIs Documentation

Welcome to the amazing world of the Nightfall Developer APIs (formerly known as Firewall for AI). Here you can find all the information about Nightfall's APIs, and SDKs, and also usage examples of these APIs and SDKs.

Introduction to Developer APIs

Overview

Welcome to Nightfall's Firewall for AI Developers Scan and Workflow APIs documentation. This documentation helps developers leverage Nightfall AI's industry-leading detection engine to identify and protect sensitive customer and corporate data anywhere. It prevents unauthorized access and data breaches and allows you to focus on innovation.

Scan APIs

Scan prompts, text, documents, spreadsheets, logs, zips, JSON, images, etc., for PII, PHI, PCI, banking information, API keys, passwords, and network information with the highest accuracy and lightning-fast response times. Redact sensitive findings with customizable formatting.

Workflow APIs

Leverage the full potential of the Nightfall console application through our Workflow APIs. Customize your SIEM workflows and reporting, take actions, update support tickets, alert users, search violations, annotate findings, create reports, and more.

Key Features

AI-Powered Identification: Utilize advanced AI models to detect and prevent security threats in real-time.
Comprehensive Sensitive Data Detection: Identify PII, PHI, PCI, banking information, API keys, passwords, and network information across various formats including text, documents, spreadsheets, logs, zips, and images.
Customizable Redaction: Tailor data protection to your needs with fully customizable redaction for each sensitive entity type.

Customizable and Built-in Machine Learning-based Detectors

You can leverage Nightfall’s machine learning-based detectors or create your own detectors with customized logic to scan third-party apps, internal services, and data silos to identify instances of potentially sensitive types of data such as:

Personally Identifiable Information (PII) including Social Security Numbers, passport numbers, email addresses, or date of birth
Protected Health Information (PHI) such as insurance claim numbers or ICD10 codes
Financial information like credit card numbers or bank routing numbers

A Flexible Data Security Solution

Key features of Nightfall’s detection engine include:

Defining minimum confidence thresholds and minimum finding counts on detectors to reduce the chance of false positives.
Specifying and on detectors to fine-tune their accuracy to better suit your use cases.
Choosing which detectors are triggered for each policy.

Using the API

The Nightfall API consumes arbitrary data as input either as or as and allows you to use any combination of detectors to return a collection of “findings" objects.

The detectors may be or defined as part of the .

The findings display the relevant detector, the likelihood of a match, and the location within the given data where the matched token occurred (not only in terms bytes — there is support for tabular and JSON data as well).

You can take protective action on sensitive text by , substituting, or encrypting it with the API. You may also set up to receive asynchronous notifications when findings are detected.

The Nightfall API is RESTful and uses JSON for its payloads. Our API is designed to have predictable, resource-oriented URLs for each endpoint and uses to indicate any API errors.

You may test out the API through the

Where to Go From Here

The following guide will walk you through getting started and describe the API functionality in more detail. If you want to execute an API call immediately, see our guide to see how to obtain an API Key and make a simple scan request.

After that, you can learn about Nightfall with our Key Concepts section, which will also help you get set up with Nightfall.

If you’re looking for more ideas about best to leverage Nightfall’s functionality, see our guide.

We have created numerous that demonstrate how to implement DLP for a variety of platforms (including OpenAI, LangChang, Amazon, Datadog, and Elasticsearch) and handle various scenarios (such as detecting sensitive data in GenAI prompts or detecting PII on your machine in real-time).

We also have several language-specific to get you up and running in Java, Python, Go, Node.js, and Ruby.

You can also quickly test out Nightfall detectors or your custom Detection Rules in the . Please also consult our Detector to see the variety of built-in detectors that Nightfall offers.

The page allows you to create API keys and manage Detectors and Detection Rules through a straightforward user interface. Log in here to access the Dashboard, or sign up to create a free account.

For frequently asked questions, feedback, and other help, please contact Nightfall support at . We also host on Wednesdays at 12pm PT to help answer questions, talk through any ideas, and chat about data security. We would love to see you there!

Authentication and Security

The Nightfall API uses API keys to authenticate requests. You can create and view your API keys in the Nightfall app on the Manage API Keys page.

Your API keys carry many privileges, so be sure to keep them secure. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, or anywhere else that would compromise their secrecy. If you believe one of your API Keys has been compromised, you should delete it through the Dashboard.

All API requests must be made over HTTPS.

Calls made over plain HTTP will fail.

API requests without authentication will fail.

Key Concepts

Entities and Terms to Know

This section describes the terms you will need to know when using the API.

Detectors

Detectors provide the logic to find potentially sensitive pieces of data.

When this logic detects such data, the Detector is considered "triggered."

Nightfall's has numerous pre-built Detectors that are trained via machine learning. Detectors may also be defined with regular expressions or dictionaries. Their accuracy may be further refined with exclusion rules and context rules. Whether a Detector is triggered may be controlled by a minimum confidence threshold per Detector and minimum number of findings per Detector as set on a Detection Rule.

Setting Up Nightfall

Before you use the scan endpoint, there are a number of actions to do within the Nightfall dashboard to get your environment set up properly.

See to see how to create the necessary Authentication token for making API calls.
See for how to define your own custom logic for detecting sensitive data

Creating API Key

The API expects an API Key to be passed via the Authorization: Bearer <key> HTTP header.

To create and manage API keys:

Log in to Nightfall.
Click Overview

Creating Policies

This document applies only to the Nightfall Developer APIs customers. If you are a Nightfall SaaS application customer, refer to this document.

Policies allow customers to create templates for their most common workflows by unifying a set of Detection Rules with the actions to be taken when those rules are triggered, including:

automated actions such as redaction of findings
alerting through webhooks

Once defined, a Policy may be used in requests to the Nightfall API, such as calls to scan file uploads, though automated redactions are not available for uploaded files at this time.

To create a policy:

Log in to Nightfall.
Click Policies under the Configuration section.
Click + New Policy.

It is mandatory for you to configure at least one alert channel.

Click Next.
(Optional) Enable the Redact Message toggle switch. This is an automated action that is triggered when sensitive data is found. The action automatically redacts sensitive data.
Click Next.

Configuring Webhook Alerts

To configure Webhook as an alert channel:

Enable the Webhook Alert notification channel.
In the Configure Webhook URL field, enter the URL of the Webhook to which you wish to send notifications.
(Optional) Click Add Headers to add header key value pairs.

Similarly, you can also use HTTP alerts channel.

Scanning Text

The scan endpoint allows you to apply Policies and Detection Rules to a list of text strings provided as a payload.

You may use or

Text scanning supports the use of,, and as well as other .

For scanning files, see .

Note that you must generate anto send requests to the Nightfall API.

Scanning Files

Nightfall’s file scan API allows a user to upload a file in chunks, then to scan it with Detection Rules once the upload is complete.

The scan will then be processed asynchronously before sending the results to the webhook URL that is provided along with your Detection Rules.

The following sequence diagram illustrates the full process for scanning a binary file with Nightfall.

For a detailed walkthrough of the API calls necessary to upload and scan a file and full script that shows the entire process, see

Webhooks and Asynchronous Notifications

The Nightfall API supports the ability to send asynchronous notifications when findings are detected as part of a scan request.

The supported destinations for these notifications include external platforms, such as Slack, email, or url to a SIEM log collector as well as to a webhook server.

Nightfall issues notifications under the following scenarios:

to notify a client about the results of a . File scans themselves are always performed asynchronously because of complexity relating to text extraction and data volume.

Accessing Your Webhook Signing Key

In order to accept requests from Nightfall, a Webhook server must use a signing key to verify requests.

To access or generate your Webhook signing key, start by logging in to the Nightfall .

Select the Developer Platform > Manage API Keys using the navigation bar on the left side of the page. You will see the Webhook signing section:

Unlike the API Key, it is possible to reveal the signature via the "eye" icon furtherest to the left of the three icons displayed.

You may copy the current value to your clipboard with the "copy" icon in the center of the three icons displayed.

You may also regenerate the key with the circular arrow icon furthest to the right.

Scanning Features

Nightfall offers many useful features beyond its detectors, including:

The ability to use and to narrow the scope of matches.

The ability to create in a way that is highly configurable so that sensitive data is appropriately obfuscated.

The ability to create that determine how leaks of sensitive information should be mitigated (i.e. through alerts sent to email or Slack).

Scanning Images for patterns using Custom Regex Detectors

Using regex to identify long patterns in images can be challenging because OCR systems. In such cases, even Nightfall may not achieve 100% character-by-character accuracy. To improve results, you must introduce higher levels of flexibility into your regex patterns to accommodate common OCR inconsistencies. Here are some typical OCR challenges to keep in mind:

Spell-check noise: Spell-checking tools can add artifacts like red underlines, which may interfere with text recognition.
Character ambiguity:
- The digit 0 may be misinterpreted as the letter O (or vice versa), depending on the font.
- The character l (lowercase L) may be read as the digit 1.
- The letter B may appear as the digit 8.
Underscore handling: An underscore (_) is sometimes interpreted as a space, particularly when spell-check artifacts are present.
Line wrapping: OCR may introduce unexpected newlines when text wraps across multiple lines.
Periods and punctuation: Spell-check artifacts or font issues may result in extraneous periods (.) or other punctuation being added to the output. En dash (–) and hyphens (-) may be interchanged.

For reference, OCR tools like Tesseract typically achieve 85-98% character accuracy for similar input, and our system operates within a similar range. Given this, tuning your regex to be more forgiving (e.g., allowing for optional characters or slight variations) can significantly improve detection rates.

Example Regex (original and loosened)

original: ATATT3xFfGF0[A-Za-z0-9=_\-]*[=A-Za-z0-9]{9}

loosened: ATATT[A-Za-z0-9_\-– @.\n=]*[A-Za-z0-9_\- @.\n]{7,11}

shortened the literal match prefix
excluded the the literal zero (0) from the prefix
added period (.) and newline () chars

PHI Detection Rules

Protected health information (PHI), also referred to as personal health information, describes a patient's medical history — including ailments, various treatments, and outcomes. PHI may include:

demographic information
test and laboratory results

Test Datasets

The following sample datasets can be used to test Nightfall's advanced AI-based detection capabilities.

This data has been fully de-identified and can be used to test any data loss prevention (DLP) platform.

Errors

While using Nightfall's Scan API, you may encounter some of the common errors outlined below. Try following the provided troubleshooting steps.

If problems persist, please contact Nightfall Support for further assistance.

HTTP Error Codes

The following error codes are returned as part of a standard HTTP response.

HTTP Error Code

Description

Troubleshooting

Nightfall Playground

The Nightfall Developer Playground (playground.nightfall.ai) is a sample app that you may use to test out API functionality before writing any code.

Our playground environment allows you to:

Test Detectors and Detection Rules. Here are some sample datasets.
Generate sample data for DLP testing.
Explore a sample app built on our APIs

Nightfall APIs

DLP APIs - Firewall for AI Platform

Firewall for AI DLP APIs enables developers to write custom code to sanitize data anywhere–RAG data sets, analytics data stores, data pipelines, and unsupported SaaS applications.

DLP APIs - Native SaaS Apps

The native SaaS app APIs can be utilized by customers using Nightfall’s SaaS apps, supported natively, to fetch violations, search violations by app meta-data attributes, and fetch findings within violations. These DLP APIs do not provide access to violations for apps scanned via the developer platform. These APIs require you to create an API key as outlined in the Getting Started with the Developer Platform section. However, to use these APIs, you need not create any detectors, detection rules, and policies in the developer platform.

If you are using Nightfall SaaS apps, you can use APIs to fetch violations, search through the violations, and fetch specific findings within the Violations. To scan data in any custom apps or cloud infrastructure services like AWS S3, you must use the APIs in the DLP APIs - Firewall for AI Platform section.

Policy Scope Update APIs

Exfiltration Prevention APIs

You can use the exfiltration APIs to search exfiltration events, fetch exfiltration events and also event details. Additionally, you can also view details of the user (actor) whose actions triggered an event, and details of the asset that triggered an event.

Posture Management APIs

You can use the posture management APIs to search posture events, fetch posture events and also event details. Additionally, you can also view details of the user (actor) whose actions triggered an event, and details of the asset that triggered an event.

SaaS App and Device Management APIs

APIs to monitor and manager integrations

Common Use Cases

Here are real-world scenarios where the Nightfall MCP server delivers immediate value:

Security Investigations

Example: "Show me all active high-risk violations from GitHub in the last week"

The AI automatically uses search_violations with appropriate filters and returns results in seconds. You can then ask follow-up questions like "Which repository has the most violations?" or "Show me the sensitive data found in violation abc-123" without manually constructing queries.

Query Examples

These examples demonstrate the flexibility of natural language queries. You don't need to memorize syntax - just describe what you need.

Basic Searches

"Show me today's violations"

Support & Resources

Getting Help

If you encounter issues not covered in this guide:

Email Support:

Nightfall Software Development Kit (SDK)

Overview

Leverage our software development kits (SDKs) to enable easier, faster, and more stable engagement with the Nightfall APIs. Nightfall has a growing library of language specific SDKs including for:

Language Specific Guides

Overview

Nightfall provides you the flexibility to easily integrate into applications using programming languages. The supported languages are as follows.

Python
Ruby

Tutorials

Nightfall Use Cases

Overview

This section consists of use case tutorials for various scenarios of Firewall for AI. The tutorials explained in this section are as follows.

LangChain Prompt Sanitization
Deploy a File Scanner for Sensitive Data in 40 Lines of Code

FAQs

What Can I do with the Firewall for AI

Firewall for AI is a powerful API that acts as a middleware layer or client wrapper to protect your AI models from consuming sensitive data. By integrating Firewall for AI into your application via API calls, you can proactively prevent data leaks and maintain compliance without disrupting your existing workflows or model updates.

How quickly can I get started with Firewall for AI?

You can start scanning for sensitive data in just a few minutes. Our developer-friendly API and comprehensive documentation make it easy to integrate Firewall for AI into your application. Follow our Quickstart guide at for step-by-step instructions on setting up the API, configuring detectors, and making your first API call.

What types of data can I scan with API?

Firewall for AI provides a flexible and extensible API that allows you to scan a wide variety of data types, including plain text, structured and unstructured files, and even images. Our API can handle data in various formats such as JSON, XML, CSV, and more. Visit our detector glossary at docs.nightfall.ai/docs/detector-glossary to explore the comprehensive list of supported data types and file formats

What types of detectors are supported out of the box?

Firewall for AI offers a rich set of pre-built detectors that can identify many different types of sensitive data, including personally identifiable information (PII), payment card industry data (PCI), protected health information (PHI), secrets, and credentials. These detectors are powered by advanced machine learning models and can be easily integrated into your application with just a few lines of code. Refer to our detector glossary at docs.nightfall.ai/docs/detector-glossary for a complete list of available detectors.

Can I customize or bring my own detectors?

Absolutely! In addition to the pre-built detectors, Firewall for AI allows you to create custom detectors tailored to your specific requirements. You can either fine-tune one of our pre-configured detection rules or build your own detector from scratch using our intuitive API. Nightfall supports many traditional detector types such as regular expressions, exact data matching, and word list/dictionaries. Check out our dedicated guide on creating custom detectors for more information.

What is the pricing model?

We offer a free tier that allows you to sign up and start using Firewall for AI with zero upfront costs or commitments. This tier provides a generous data scanning capacity and access to all the core features.

We offer enterprise pricing plans for advanced requirements such as higher data volumes, custom rate limits, and dedicated support.

Contact our team at [email protected] or via the contact form on our website to discuss your specific needs and get a tailored pricing quote.

How do I know my data is secure?

At Nightfall, data security and privacy are our top priorities. We have implemented stringent security measures to protect your sensitive data at every stage of the scanning process. All data transmitted to our API is encrypted in transit using industry-standard protocols. We adhere to best practices for secure coding, undergo regular security audits, and maintain compliance with relevant security standards. Visit our security and compliance page at nightfall.ai/security for more details on our commitment to data protection.

How do I get in touch with you?

Don't hesitate to get in touch with us directly via email at or through the c on our website.

We host on Wednesdays at 12 pm PT to help answer questions, talk through any ideas, and chat about data security. We would love to see you there!

Can I test out the detection and my own detection rules before writing any code?

Yes, you can test out the detection engine, including 70+ pre-built detectors without writing any code or having to sign up in our Playground.

How does Nightfall support custom data types?

In two ways:

Nightfall’s out of the box detectors can be modified with context rules and exclusion rules.
Nightfall also supports inputting custom regular expressions or word lists (i.e. dictionaries) as detectors in the RE2 standard as documented here.

Contact Us

Schedule a Demo

You can schedule a demo or a meeting with our sales/solutions engineering team directly via Calendly here. If you don't see a suitable time, please email us at [email protected].

Email Us

For support inquiries, please email us at .

For sales inquiries, please email us at .

Best Practices - Security Investigation Workflows

The following workflows represent best practices for common security tasks. These step-by-step patterns guide you through effective multi-tool investigations.

Workflow 1: Incident Investigation

Purpose: Conduct an end-to-end security incident investigation

Steps:

Identify the scope: Search for related events using search_violations, search_exfiltration_events, or search_posture_events with your search criteria
Gather details: For each relevant result, use get_violation, get_exfiltration_event, or get_posture_event to get full context including affected assets, actors, and risk levels
Review findings: For violations, use get_violation_findings to see exactly what sensitive data was detected
Check activity timeline: Use the appropriate activity tools to understand what remediation has already been attempted
Assess user behavior: If an actor is identified, use get_actor_activity to check their recent activity across all event types
Summarize and recommend: Provide a structured incident summary with scope, affected assets, actors involved, risk assessment, and specific remediation actions

Example Conversation:

"Investigate the incident involving repository finance-api"
"Show me the findings for violation abc-123"
"What has user [email protected] been doing recently?"

Workflow 2: Violation Triage

Purpose: Prioritize and triage active DLP violations for remediation

Steps:

Fetch active violations: Use search_violations with query state:ACTIVE sorted by RISK_DESC to get highest-risk violations first
Categorize by severity: Group violations by risk_label (CRITICAL, HIGH, MEDIUM, LOW) and integration

Example Conversation:

"Triage all active violations, prioritize by risk"
"Show me details for the top 5 high-risk violations"
"What are the findings for these violations?"

Workflow 3: Compliance Reporting

Purpose: Generate security compliance summary across time periods

Steps:

Gather violation statistics: Use list_violations with createdAfter timestamp for your reporting period
Gather exfiltration statistics: Use list_exfiltration_events with the same time range

Example Conversation:

"Generate a compliance report for the last 90 days"
"Break down violations by integration and severity"
"Show me the top 10 incidents with details"

Workflow 4: User Risk Assessment

Purpose: Assess security risk profile for a specific user

Steps:

Find violations: Use search_violations with query user_email:[email] to find all DLP violations
Find exfiltration events: Use search_exfiltration_events with query actor_email:[email]

Example Conversation:

"Assess the risk profile for user [email protected]"
"Show me all violations and events involving this user"
"What patterns emerge from their behavior?"

Workflow 5: Guided Remediation

Purpose: Execute remediation actions on specific violations

Steps:

Review violation details: Use get_violation to understand context and available actions
Check findings: Use get_violation_findings to see what data is at risk
Verify appropriate action: Confirm the remediation action matches the violation severity and context

Example Conversation:

"Show me details for violation xyz-789"
"What are the available remediation actions?"
"Resolve this violation and document the action"

Multi-Step Tool Chaining

"Search for GitHub violations, get details on the top 3, and show me the sensitive findings"
"Find all violations by [email protected], check her recent activity, and assess her risk profile"
"List exfiltration events from last week, get details on any involving bulk downloads, and summarize the risk"

Multi-Tool Investigation Patterns

The most effective investigations use multiple tools in sequence. Follow these patterns:

Basic Investigation Pattern:

Search → Get Details → Analyze → Recommend

Deep Investigation Pattern:

Search → Get Details → Get Findings → Check Activity → Assess Actor → Recommend

Remediation Pattern:

Search → Get Details → Verify Context → Take Action → Confirm

When asking complex questions, the AI will automatically chain tools in the optimal order. You can also explicitly request multi-step workflows: "Search for high-risk violations, review the top 5, and create a remediation plan."

Effective Communication with AI

Be specific about time ranges: "last 7 days" is clearer than "recently"
Use exact usernames or email addresses when investigating specific actors
Ask follow-up questions to drill deeper: "Show me the findings" after reviewing a violation

Security

Store API keys in secure credential managers, never in code or configuration files committed to version control
Rotate API keys quarterly or immediately if compromise is suspected
Use dedicated API keys for each integration rather than sharing across systems

Effective Communication with AI

Be specific about time ranges: "last 7 days" is clearer than "recently"
Use exact usernames or email addresses when investigating specific actors
Ask follow-up questions to drill deeper: "Show me the findings" after reviewing a violation

Workflow Integration

Set up dedicated Slack/Teams channels for security alerts and use MCP to investigate directly from your collaboration tool
Create saved prompts for common investigations to maintain consistency across your security team
Document investigation procedures that leverage MCP for faster onboarding of new analysts

Supported File Types

The file scan API has first-class support for text extraction and scanning on all MIME types enumerated below.

Certain file types receive special handling, such as tabular data and archives of Git repositories, that results in more precise information about the location of findings within the source file.

Handling of MIME Types Not Listed

Files with a MIME type not listed below are processed using an unoptimized text extractor. As a result, the quality of the text extraction for unrecognized types may vary.

Accepted Text and Derivatives

application/json
application/x-ndjson
application/x-php
text/calendar

Accepted Office Formats

application/pdf
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet (treated as )

Accepted Archive and Compressed File Types

application/bzip2
application/ear
application/gzip
application/jar

Accepted Image File Types

image/apng
image/avif
image/gif
image/jpeg

Rejected MIME Types

The file scan API explicitly rejects requests with MIME types that are not conducive to extracting or scanning text. Sample rejected MIME types include:

application/photoshop
audio/midi
audio/wav
video/mp4

Spreadsheets and Tabular Data

File scans of Microsoft Office, Apache parquet, csv, and tab separated files will provide additional properties to locate findings within the document beyond the standard byteRange, codepointRange, and lineRange properties.

Findings will contain a columnRange and a rowRange that will allow you to identify the specific row and column within the tabular data wherein the finding is present.

This functionality is applicable to the following mime types:

text/csv
text/tab-separated-values
text/tsv
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

data files are also accepted.

Below is a sample match of a spreadsheet containing dummy PII where a SSN was detected in the 2nd column and 55th row.

Redacting CSV Files

Findings within csv files may be redacted.

To enable redaction in files, set the enableFileRedaction flag of your policy to "true"

The csv file will be redacted based on the configuration of the defaultRedactionConfig of the policy

Below is an example curl request for a csv file that has already been .

When results are sent to the location specified in the alertConfig (in this case an email address) a redactedFile property will be set with a fileURL in addition the findingsURL

This redacted file will be a modified version of the original csv file.

Below is an example of a redacted csv file.

Git Repositories

Nightfall provides special handling for archives of Git repositories.

Nightfall will scan the repository history to discover findings in particular checkin, returning the hash for the checkin.

In order to scan the repository, you will need to create a clone, i.e.

git clone https://github.com/nightfallai/nightfall-go-sdk.git

This creates a clone of the Nightfall go SDK.

You will then need to create an archive that can be uploaded using Nightfall's file scanning sequence.

zip -r directory.zip directory

Note that in order to work, the hidden directory .github must be included in the archive.

When you initiate the with this file, you will receive scan results that contain the commitHash property filled in.

Using the Nightfall go SDK archive created above, a simple example would be to scan for URLs (i.e. strings starting with http:// or https://), which will send results such as the following:

Support for Large Repositories

Currently, processing is limited to repositories with a total number of commits lower than 5000.

Large repositories result in a large volume of data sent at once. We are working on changes to allow these and other large surges of data to be processed in a more controlled manner, and will increase the limit or remove it altogether once those changes are complete.

Sensitive Data in GitHub Repositories

If the finding in a GitHub repository is considered to be sensitive, it should be considered compromised and appropriate mitigation steps (i.e. secrets should be rotated).

To retrieve the specific checkout, you will need to clone the repository, i.e.

git clone https://github.com/nightfallai/nightfall-go-sdk.git

You can then checkout the specific commit using the commit hash returned by Nightfall.

Note that you are in a when workin with this sort of check out of a repository.

File Scanning Limitations

CSV Files: Only the first 250,000 rows will be scanned.
Spreadsheet Files: Up to 100,000 rows per sheet will be scanned, with a maximum of 1 million rows across all tabs in multi-sheet spreadsheets.
PDF Files: Scanning is limited to the first 100 pages, including a maximum of 50 images within those pages.

Using Policies to Send Alerts

Policies allow customers to create templates for their most common workflows such as sending alerts when detection rules are triggered.

These policies may be created manually through the dashboard or may be defined programmatically.

When defining an a Policy inline, in addition to specifying the Detection Rules (either by referencing the UUID of an existing Detection Rule or defining a Detection Rule and its Detectors inline), you must define an alertConfig which will determine where findings are sent.

The alertConfig can be either:

an email address
a Slack channel
a webhook url
a url to a SIEM host as well authentication and other headers

Below is a simple example of a payload with a policy that will send alerts to an email address that you would use with our endpoint for .

You will receive the following response:

Note that you may also use a pre-defined policy defined under Developer Platform > Overview > Policies by copying the Policy UUID and sending a request as shown below.

policy vs. policyUUIDs vs. config

The policy object supersedes the config object. The use of config objects will still continue to be supported, but its use should be considered deprecated. If you specify

The following payload will be sent to the given email address with the subject "🚨 Findings Detected by Nightfall! 🚨" as an attachment with the name nightfall-findings.json:

This attachment has the same content as the response payload to the initial request.

Note that the sender address will be [email protected]

This email address will not respond to messages sent to it.

Using Webhooks with Policies

Policies also allow you to send findings to a callback designated URL using the url property of the alertConfig object.

This mechanism allows you to programmatically consume findings and the data sent will contain sensitive information as well as additional metadata like the location of the findings in the payload. For this reason the URL must be an HTTPS URL and the service backing it be implemented to properly respond with your and act as a

Below is what Webhook URL should like in your policy's alertConfig in a payload sent to our endpoint used for scanning plain text.

Using Slack Channels With Policies

Another option supported by Policies is sending finding data to a designated Slack channel.

This feature requires that you have configured the .

Below is a sample payload for scanning plain text.

Below is an example as to how the violation will appear in Slack.

See the section on Slack in the overview on for more details.

Sending Alerts to SIEMs and other HTTP Event Collectors

SIEM (pronounced “sim”) is a combination of security information management (SIM) and security event management systems. SIEM technology collects event log data for analysis in order to provide visibility into network activity.

It is possible to send findings from a policy to a SIEM service such as LogRhythm, SumoLogic, or Splunk using the siem alertConfig.

This configuration will require a URL to a collector that uses an HTTPS endpoint.

Note that the URL for the siem alertConfig must:

use the HTTPS scheme
be able to accept requests made with the POST verb
respond with a 200 status code upon receipt of the event

See the documentation for your SIEM service for how to set up this URL.

Unlike the url alertConfig option, the siem alertConfig does not require that the endpoint for the service implement a custom challenge response. Events sent to the siem alertConfig endpoint contain a subset of what is sent to the url alertConfig. Furthermore the findings are sent in a redacted form similar to Slack or email alerts.

In addition to the URL, you may provide headers such as those that are used for authorization.

The headers in the SIEM alertConfig are divided into sensitiveHeaders and plainTextHeaders header mappings.

The sensitiveHeaders field is specifically for header values like authentication. Nightfall ensures that these header values are always hidden in our service. They are never logged or saved in analytic events.

You can use plainTextHeaders for all other type of information you would like passed along with Nightfall alerts to you HTTP endpoint. Nightfall assumes that the values stored plainTextHeaders do not contain any sensitive information so we do not take any action to hide or protect these values.

Below is an example of a payload using a siem alertConfig.

Other Policy Features

Using Redaction Within a Policy

A policy may be configured with default redaction rules as a defaultRedactionConfig that will affect the content of the redactedPayload field of the content that is sent to the alert locations specified in the policy alertConfig. Note that this redaction does not affect the findings themselves.

These redaction rules will be applied to Detection Rules that do not have a specified redaction configuration.

The redactionConfig specified must be one and only one of the four available redaction types:

maskConfig
infoTypeSubstitutionConfig
substitutionConfig
cryptoConfig

For more information on Redactions see:

Below is a simple example of a payload for using a policy set up to use a defaultRedactionConfig

Using Context Bytes Within a Policy

In additional to a defaultRedactionConfig it is possible to set the number of bytes to include as before and after a given finding as the contextBytes. This context can provide meaning to how the finding appears within the text to allow human readers to better understand the meaning of the finding. The maximum value for contextBytes is 40.

Deploy a File Scanner for Sensitive Data in 40 Lines of Code

The service ingests a local file, scans it for sensitive data with Nightfall, and displays the results in a simple table UI.

We'll deploy the server on Render (a PaaS Heroku alternative) so that you can serve your application publicly in production instead of running it off your local machine. You'll build familiarity with the following tools and frameworks: Python, Flask, Nightfall, Ngrok, Jinja, Render.

Key Concepts

Before we get started on our implementation, start by familiarizing yourself with how scanning files works with Nightfall, so you're acquainted with the flow we are implementing.

In a nutshell, file scanning is done asynchronously by Nightfall; after you upload a file to Nightfall and trigger the scan, we perform the scan in the background. When the scan completes, Nightfall delivers the results to you by making a request to your webhook server. This asynchronous behavior allows Nightfall to scan files of varying sizes and complexities without requiring you to hold open a long synchronous request, or continuously poll for updates. The impact of this pattern is that you need a webhook endpoint that can receive inbound notifications from Nightfall when scans are completed - that's what we are building in this tutorial.

Getting Started

You can fork the sample repo and view the complete code , or follow along below. If you're starting from scratch, create a new GitHub repository.

Setting Up Dependencies

First, let's start by installing our dependencies. We'll be using Nightfall for data classification, the web framework in Python, and as our web server. Create requirements.txt and add the following to the file:

Then run pip install -r requirements.txt to do the installation.

Configuring Detection with Nightfall

Next, we'll need our Nightfall API Key and Webhook Signing Secret; the former authenticates us to the Nightfall API, while the latter authenticates that incoming webhooks are originating from Nightfall. You can retrieve your API Key and Webhook Signing Secret from the Nightfall . Complete the Nightfall Quickstart for a more detailed walk-through. for a free Nightfall account if you don't have one.

These values are unique to your account and should be kept safe. This means that we will store them as environment variables and should not store them directly in code or commit them into version control. If these values are ever leaked, be sure to visit the Nightfall Dashboard to re-generate new values for these secrets.

Setting Up Our Server

Let's start writing our Flask server. Create a file called app.py. We'll start by importing our dependencies and initializing the Flask and Nightfall clients:

Next, we'll add our first route, which will display "Hello World" when the client navigates to /ping simply as a way to validate things are working:

Run gunicorn app:app on the command line to fire up your server, and navigate to your local server in your web browser. You'll see where the web browser is hosted in the Gunicorn logs, typically it will be 127.0.0.1:8000 aka localhost:8000.

To expose our local webhook server via a public tunnel that Nightfall can send requests to, we'll use ngrok. Download and install ngrok via their quickstart documentation . We'll create an ngrok tunnel as follows:

After running this command, ngrok will create a tunnel on the public internet that redirects traffic from their site to your local machine. Copy the HTTPS tunnel endpoint that ngrok has created: we can use this as the webhook URL when we trigger a file scan.

Let's set this HTTPS endpoint as a local environment variable so we can reference it later:

Tip: With a Pro ngrok account, you can create a subdomain so that your tunnel URL is consistent, instead of randomly generated each time you start the tunnel.

Handling an Inbound Webhook

Before you send a file scan request to Nightfall, let's add logic for our incoming webhook endpoint, so that when Nightfall finishes scanning a file, it can successfully send the sensitive findings to us.

First, what does it mean to have findings? If a file has findings, this means that Nightfall identified sensitive data in the file that matched the detection rules you configured. For example, if you told Nightfall to look for credit card numbers, any substring from the request payload that matched our credit card detector would constitute sensitive findings.

We'll host our incoming webhook at /ingest with a POST method.

Nightfall will POST to the webhook endpoint, and in the inbound payload, Nightfall will indicate if there are sensitive findings in the file, and provide a link where we can access the sensitive findings as JSON.

Restart your server so the changes propagate. We'll take a look at the console output of our webhook endpoint and explain what it means in the next section.

Scan a File

Now, we want to trigger a file scan request, so that Nightfall will scan the file and send a POST request to our /ingest webhook endpoint when the scan is complete. We'll write a simple script that sends a file to Nightfall to scan it for . Create a new file called scan.py.

First, we'll establish our dependencies, initialize the Nightfall client, and specify the filepath to the file we wish to scan as well as the webhook endpoint we created above. The filepath is a relative path to any file, in this case we are scanning the sample-pci-xs.csv file which is in the same directory as scan.py. This is a sample CSV file with 10 credit card numbers in it - you can download it in the tutorial's GitHub .

Next, we will initiate the scan request to Nightfall, by specifying our filepath, webhook URL where the scan results should be posted, and our Detection Rule that specifies what sensitive data we are looking for.

In this simple example, we have specified an inline Detection Rule that detects Likely Credit Card Numbers. This Detection Rule is a simple starting point that just scratches the surface of the types of detection you can build with Nightfall. Learn more about building inline detection rules here or how to configure them in the Nightfall .

The scan_id is useful for identifying your scan results later.

View Sensitive Findings

Let's run scan.py to trigger our file scan job.

Once Nightfall has finished scanning the file, we'll see our Flask server receive the request at our webhook endpoint (/ingest). In our code above, we parse the webhook payload, and print the following when there are sensitive findings:

In our output, we are printing two URLs.

The first URL is provided to us by Nightfall. It is the temporary signed S3 URL that we can access to fetch the sensitive findings that Nightfall detected.

The second URL won't work yet, we'll implement it next. This URL a we constructed in our ingest() method above - the URL calls /view and passes the Findings URL above as a URL-escaped query parameter.

Let's add a method to our Flask server that opens this URL and displays the findings in a formatted table so that the results are easier to view than downloading them as JSON.

We'll do this by adding a view method that responds to GET requests to the /view route. The /view route will read the URL to the S3 Findings URL via a query parameter. It will then open the findings URL, parse it as JSON, pass the results to an HTML template, and display the results in a simple HTML table using . Jinja is a simple templating engine in Python.

Add the following to our Flask server in app.py:

Create the Table View

To display the findings in an HTML table, we'll create a new Flask template. Create a folder in your project directory called templates and add a new file within it called view.html.

Our template uses Jinja to iterate through our findings, and create a table row for each sensitive finding.

Now, if we restart our Flask server, trigger a file scan request, and navigate to the "View" URL printed in the server logs, we should see a formatted table with our results! In fact, we can input any Nightfall-provided signed S3 URL (after URL-escaping it) in the findings_url parameter of the /view route to view it.

Deploy on Render

As a longtime Heroku user, I was initially inclined to write this tutorial with instructions to deploy our app on Heroku. However, new PaaS vendors have been emerging and I was curious to try them out and see how they compare to Heroku. One such vendor is Render, which is where we'll deploy our app.

Deploying our service on Render is straightforward. If you're familiar with Heroku, the process is quite similar. Once you've signed up or logged into Render (free), we'll do the following:

Create a new Web Service on Render, and permit Render to access your new repo.
Use the following values during creation:

Environment: Python
Build Command: pip install -r requirements.txt
Start Command: gunicorn app:app

Let's also set our environment variables during creation. These are the same values we set locally.

Scan a file (in production)

Once Render has finished deploying, you'll get the base URL of your application. Set this as your NIGHTFALL_SERVER_URL locally and re-run scan.py - this time, the file scan request is served by your production Flask server running on Render!

To confirm this, navigate to the Logs tab in your Render app console, you'll see the webhook's output of your file scan results:

Navigate to the View link above in your browser to verify that you can see the results formatted in a table on your production site.

Congrats, you've successfully created a file scanning server and deployed it in production! You're now ready to build more advanced business logic around your file scanner. Here are some ideas on how to extend this tutorial:

Use WebSockets to send a notification back from the webhook to the client that initiated the file scan request
Build a more advanced detection rule using pre-built or custom detectors
Add a user interface to add more interactive capabilities, for example allowing users to upload files or read files from URLs

Building Endpoint DLP to Detect PII on Your Machine in Real-Time

Endpoint data loss prevention (DLP) discovers, classifies, and protects sensitive data - like PII, credit card numbers, and secrets - that proliferates onto endpoint devices, like your computer or EC2 machines. This is a way to help keep data safe, so that you can detect and stop occurrences of data exfiltration. Our endpoint DLP application will be composed of two core services that will run locally. The first service will monitor for file system events using the Watchdog package in Python. When a file system event is triggered, such as when a file is created or modified, the service will send the file to Nightfall to be scanned for sensitive data. The second service is a webhook server that will receive scan results from Nightfall, parse the sensitive findings, and write them to a CSV file as output. You'll build familiarity with the following tools and frameworks:

Python
Flask
Nightfall
Ngrok
Watchdog

Key Concepts

Before we get started on our implementation, start by familiarizing yourself with with Nightfall, so you're acquainted with the flow we are implementing.

In a nutshell, file scanning is done asynchronously by Nightfall; after you upload a file to Nightfall and trigger the scan, we perform the scan in the background. When the scan completes, Nightfall delivers the results to you by requesting your webhook server. This asynchronous behavior allows Nightfall to scan files of varying sizes and complexities without requiring you to hold open a long synchronous request, or continuously poll for updates. The impact of this pattern is that you need a webhook endpoint that can receive inbound notifications from Nightfall when scans are completed - that's one of the two services we are building in this tutorial.

Getting Started

You can fork the sample repo and view the complete code , or follow along below. If you're starting from scratch, create a new GitHub repository. This tutorial was developed on a Mac and assumes that's the endpoint operating system you're running, however, this tutorial should work across operating systems with minor modifications. For example, you may wish to extend this tutorial by running endpoint DLP on an EC2 machine to monitor your production systems.

Setting Up Dependencies

First, let's start by installing our dependencies. We'll be using Nightfall for data classification, the web framework in Python, for monitoring file system events, and as our web server. Create requirements.txt and add the following to the file:

Then run pip install -r requirements.txt to do the installation.

Configuring Detection with Nightfall

Monitoring File System Events

Watchdog is a Python module that watches for file system events. Create a file called scanner.py. We'll start by importing our dependencies and setting up a basic event handler. This event handler responds to file change events for file paths that match a given set of regular expressions (regexes). In this case, the .* indicates we are matching on any file path - we'll customize this a bit later. When a file system event is triggered, we'll print a line to the console.

Run python scanner.py and you'll notice lots of lines getting printed to the console. These are all the files that are getting created and changed on your machine in real-time. You'll notice that your operating system and the apps you're running are constantly writing, modifying, and deleting files on disk!

Next, we'll update our event handler so that instead of simply printing to the console, we are sending the file to Nightfall to be scanned. We will initiate the scan request to Nightfall, by specifying the file path of the changed/created file, a webhook URL where the scan results should be sent, and our Detection Rule that specifies what sensitive data we are looking for. If the file scan is initiated successfully, we'll print the corresponding Upload ID that Nightfall provides us to the console. This ID will be useful later when identifying scan results.

Here's our complete scanner.py, explained further below:

We can't run this just yet, since we need to set our webhook URL, which is currently reading from an environment variable that we haven't set yet. We'll create our webhook server and set the webhook URL in the next set of steps.

In this example, we have specified an inline Detection Rule that detects Likely Credit Card Numbers, Social Security Numbers, and API Keys. This Detection Rule is a simple starting point that just scratches the surface of the types of detection you can build with Nightfall. Learn more about building inline detection rules here or how to configure them in the Nightfall .

Also note that we've updated our regex from .* to a set of file paths on Macs that commonly contain user generated files - the Desktop, Documents, and Downloads folders:

You can customize these regexes to whatever file paths are of interest to you. Another option is to write a catch-all regex that ignores/excludes paths to config and temp files:

Setting Up Webhook Server

Next, we'll set up our Flask webhook server, so we can receive file scanning results from Nightfall. Create a file called app.py. We'll start by importing our dependencies and initializing the Flask and Nightfall clients:

Next, we'll add our first route, which will display "Hello World" when the client navigates to /ping simply as a way to validate things are working:

In a second command line window, run gunicorn app:app on the command line to fire up your server, and navigate to your local server in your web browser. You'll see where the web browser is hosted in the Gunicorn logs, typically it will be 127.0.0.1:8000 aka localhost:8000.

Let's set this HTTPS endpoint as a local environment variable so we can reference it later:

With a Pro ngrok account, you can create a subdomain so that your tunnel URL is consistent, instead of randomly generated each time you start the tunnel.

Handling Inbound Webhooks

Before we send a file scan request to Nightfall, let's implement our incoming webhook endpoint, so that when Nightfall finishes scanning a file, it can successfully send the sensitive findings to us.

We'll host our incoming webhook at /ingest with a POST method.

We'll validate the inbound webhook from Nightfall, retrieve the JSON findings from the link provided, and write the findings to a CSV file. First, let's initialize our CSV file where we will write results, and add our /ingest POST method.

You'll notice that when there are sensitive findings, we call the output_results() method. Let's write that next. In output_results(), we are going to parse the findings and write them as rows into our CSV file.

Restart your server so the changes propagate. We'll take a look at the console and CSV output of our webhook endpoint in the next section.

Scan Changed Files in Real-Time

In our previous command line window, we can now turn our attention back to scanner.py. We now have our webhook URL so let's set it here as well and run our scanner.

To trigger a file scan event, download the following . Assuming it automatically downloads to your Downloads folder, this should immediately trigger a file change event and you'll see console log output! If not, you can also download the file with curl into a location that matches your event handler's regex we set earlier.

You'll see the following console output from scanner.py:

And the following console output from our webhook server:

And the following sensitive findings written to results.csv:

Each row in the output CSV will correspond to a sensitive finding. Each row will have the following fields, which you can customize in app.py: the upload ID provided by Nightfall, an incrementing index, timestamp, characters before the sensitive finding (for context), the sensitive finding itself, characters after the sensitive finding (for context), the confidence level of the detection, the byte range location (character indicies) of the sensitive finding in its parent file, and the corresponding detection rules that flagged the sensitive finding.

Note that you may also see events for system files like .DS_Store or errors corresponding to failed attempts to scan temporary versions of files. This is because doing things like downloading a file can trigger multiple file modification events. As an extension to this tutorial, you could consider filtering those out further, though they shouldn't impact our ability to scan files of interest.

If we leave these services running, we'll continue to monitor files for sensitive data and appending to our results CSV when sensitive findings are discovered!

Running Endpoint DLP in the Background

We can run both of our services in the background nohup so that we don't need to leave two command line tabs open indefinitely. We'll pipe console output to log files so that we can always reference the application's output or determine if the services crashed for any reason.

This will return the corresponding process IDs - we can always check on these later with the ps command.

Next Steps

This post is simply of a proof of concept version of endpoint DLP. Building a production-grade endpoint DLP application will have additional complexity and functionality. However, the detection engine is one of the biggest components of an endpoint DLP system, and this example should give you a sense of how easy it is to integrate with Nightfall's APIs and the power of Nightfall's detection engine.

Here are few ideas on how you can extend upon this service further:

Run the scanner on EC2 machines to scan your production machines in real-time
Respond to more system events like I/O of USB drives and external ports
Implement remediation actions like end-user notifications or file deletion

Search posture events

get

Fetch a list of posture events based on some filters

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Query parameters

createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -180 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50

pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:

querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

term	value
clause	user_email:"[email protected]"
field	user_email
operator	:
value	[email protected]

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

user_mail:[email protected]
user_name:"John Doe"

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAX	USAGE	DESCRIPTION	EXAMPLES
`:`	field:value	Exact match operator (case insensitive)	`state:"pending"` returns records where the currency is exactly `"PENDING"` in a case-insensitive comparison
(space)	field1:value1 field2:value2	The query returns only records that match both clauses	`state:active slack.channel_name:general`
`OR`	field:(value1 OR value2)	The query returns records that match either of the values (case insensitive)	`state:(active OR pending)`

Query Fields

param	description
event_id	the unique identifier of the posture event to filter on
integration_name	the name of the integration to filter on
state	the state of the event to filter on (active, pending, resolved, expired)
event_type	the type of posture event to filter on
actor_name	the name of the actor who performed the action to filter on
actor_email	the email of the actor who performed the action to filter on
user_name	the username of the user to filter on (backward compatibility)
user_email	the email of the user to filter on (backward compatibility)
notes	the comment or notes associated with the event to filter on
policy_id	the unique identifier of the policy to filter on
policy_name	the name of the policy to filter on
resource_id	the identifier of the resource to filter on
resource_name	the name of the resource to filter on
resource_owner_name	the name of the resource owner to filter on
resource_owner_email	the email of the resource owner to filter on
resource_content_type	the content type of the resource to filter on
endpoint.device_id	the device identifier for endpoint events to filter on
endpoint.machine_name	the machine name for endpoint events to filter on
gdrive.permission	the permission setting for Google Drive files to filter on
gdrive.shared_internal_email	the internal emails with which the file is shared to filter on
gdrive.shared_external_email	the external emails with which the file is shared to filter on
gdrive.drive	the Google Drive name to filter on
gdrive.file_owner	the owner of the Google Drive file to filter on
gdrive.label_name	the label name applied to Google Drive files to filter on
salesforce.report.scope	the scope of the Salesforce report to filter on
salesforce.report.event_source	the event source of the Salesforce report to filter on
salesforce.report.source_ip	the source IP address of the Salesforce report to filter on
salesforce.report.session_level	the session level of the Salesforce report to filter on
salesforce.report.operation	the operation type of the Salesforce report to filter on
salesforce.report.description	the description of the Salesforce report to filter on
salesforce.file.source_ip	the source IP address for Salesforce file events to filter on
salesforce.file.session_level	the session level for Salesforce file events to filter on

Responses

200

Successful response

application/json

400

Invalid request parameters

application/json

401

Authentication failure

application/json

429

Rate Limit Exceeded or Daily Quota Exceeded

application/json

500

Internal Nightfall Error

application/json

get

/events/search

Query parameters

createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -180 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50

pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:

querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

term	value
clause	user_email:"[email protected]"
field	user_email
operator	:
value	[email protected]

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

user_mail:[email protected]
user_name:"John Doe"

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAX	USAGE	DESCRIPTION	EXAMPLES
`:`	field:value	Exact match operator (case insensitive)	`state:"pending"` returns records where the currency is exactly `"PENDING"` in a case-insensitive comparison
(space)	field1:value1 field2:value2	The query returns only records that match both clauses	`state:active slack.channel_name:general`
`OR`	field:(value1 OR value2)	The query returns records that match either of the values (case insensitive)	`state:(active OR pending)`

Query Fields

param	description
event_id	the unique identifier of the exfiltration event to filter on
integration_name	the name of the integration to filter on
state	the state of the event to filter on (active, pending, resolved, expired)
event_type	the type of exfiltration event to filter on
actor_name	the name of the actor who performed the action to filter on
actor_email	the email of the actor who performed the action to filter on
user_name	the username of the user to filter on (backward compatibility)
user_email	the email of the user to filter on (backward compatibility)
notes	the comment or notes associated with the event to filter on
policy_id	the unique identifier of the policy to filter on
policy_name	the name of the policy to filter on
resource_id	the identifier of the resource to filter on
resource_name	the name of the resource to filter on
resource_owner_name	the name of the resource owner to filter on
resource_owner_email	the email of the resource owner to filter on
resource_content_type	the content type of the resource to filter on
endpoint.device_id	the device identifier for endpoint events to filter on
endpoint.machine_name	the machine name for endpoint events to filter on
gdrive.permission	the permission setting for Google Drive files to filter on
gdrive.shared_internal_email	the internal emails with which the file is shared to filter on
gdrive.shared_external_email	the external emails with which the file is shared to filter on
gdrive.drive	the Google Drive name to filter on
gdrive.file_owner	the owner of the Google Drive file to filter on
gdrive.label_name	the label name applied to Google Drive files to filter on
salesforce.report.scope	the scope of the Salesforce report to filter on
salesforce.report.event_source	the event source of the Salesforce report to filter on
salesforce.report.source_ip	the source IP address of the Salesforce report to filter on
salesforce.report.session_level	the session level of the Salesforce report to filter on
salesforce.report.operation	the operation type of the Salesforce report to filter on
salesforce.report.description	the description of the Salesforce report to filter on
salesforce.file.source_ip	the source IP address for Salesforce file events to filter on
salesforce.file.session_level	the session level for Salesforce file events to filter on
last_actioned_by	the entity that performed the last action on the violation, can be one of NIGHTFALL, ADMIN or END_USER

Search violations

get

Fetch a list of violations based on some filters

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Query parameters

createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50

pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:

querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

term	value
clause	user_email:"[email protected]"
field	user_email
operator	:
value	[email protected]

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

user_mail:[email protected]
user_name:"John Doe"

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAX	USAGE	DESCRIPTION	EXAMPLES
`:`	field:value	Exact match operator (case insensitive)	`state:"pending"` returns records where the currency is exactly `"PENDING"` in a case-insensitive comparison
(space)	field1:value1 field2:value2	The query returns only records that match both clauses	`state:active slack.channel_name:general`
`OR`	field:(value1 OR value2)	The query returns records that match either of the values (case insensitive)	`state:(active OR pending)`

Query Fields

param	description
state	the violation states to filter on
user_email	the emails of users updating the resource resulting in the violation
user_name	the usernames of users updating the resource resulting in the violation
integration_name	the integration to filter on
confidence	one or more likelihoods/confidences
policy_id	one or more policy IDs
detection_rule_id	one or more detection rule IDs
detector_id	one or more detector IDs
risk_label	the risk label to filter on
risk_source	the risk determination source to filter on
slack.channel_name	the slack channel names to filter on
slack.channel_id	the slack channel IDs to filter on
slack.workspace	the slack workspaces to filter on
confluence.parent_page_name	the names of the parent pages in confluence to filter on
confluence.space_name	the names of the spaces in confluence to filter on
gdrive.drive	the drive names in gdrive to filter on
jira.project_name	the jira project names to filter on
jira.ticket_number	the jira ticket numbers to filter on
salesforce.org_name	the salesforce organization names to filter on
salesforce.object	the salesforce object names to filter on
salesforce.record_id	the salesforce record IDs to filter on
github.author_email	the github author emails to filter on
github.branch	the github branches to filter on
github.commit	the github commit ids to filter on
github.org	the github organizations to filter on
github.repository	the github repositories to filter on
github.repository_owner	the github repository owners to filter on
teams.team_name	the m365 teams team names to filter on
teams.channel_name	the m365 teams channels to filter on
teams.channel_type	the m365 teams channel types to filter on
teams.team_sensitivity	the m365 teams sensitivities to filter on
teams.sender	the m365 teams senders to filter on
teams.msg_importance	the m365 teams importance to filter on
teams.msg_attachment	the m365 teams attachment names to filter on
teams.chat_id	the m365 teams chat ID to filter on
teams.chat_type	the m365 teams chat type to filter on
teams.chat_topic	the m365 teams chat topic to filter on
teams.chat_participant	the m365 teams chat participant's display name to filter on
onedrive.drive_owner	drive owner's display name to filter on
onedrive.drive_owner_email	drive owner's email to filter on
onedrive.file_name	the file name to filter on
onedrive.created_by	the m365 user, who created the file in the drive, display name to filter on
onedrive.created_by_email	the m365 users, who created the file in the drive, email to filter on
onedrive.modified_by	the m365 users, who last modified the file in the drive, display name to filter on
onedrive.modified_by_email	the m365 users, who last modified the file in the drive, email to filter on
zendesk.ticket_status	the zendesk ticket status to filter on
zendesk.ticket_title	the zendesk ticket titles to filter on
zendesk.ticket_group_assignee	the zendesk ticket assignee groups to filter on
zendesk.current_user_role	the zendesk ticket current assignee user's roles to filter on
notion.created_by	the names of the users creating a resource in notion to filter on
notion.last_edited_by	the names of the users editing a resource in notion to filter on
notion.page_title	the page names in notion to filter on
notion.workspace_name	the workspace names in notion to filter on
gmail.user_name	the names of the sender to filter on
gmail.from	the email of sender to filter on
gmail.to	the email or name of recipients to filter on
gmail.cc	the email or name of cc to filter on
gmail.bcc	the email or name of bcc to filter on
gmail.thread_id	the thread id of email to filter on
gmail.subject	the subject of email to filter on
gmail.attachment_name	the name of attachment to filter on
gmail.attachment_type	the type of attachment to filter on
last_actioned_by	the entity that performed the last action on the violation, can be one of NIGHTFALL, ADMIN or END_USER

Responses

200

Successful response

application/json

400

Invalid request parameters

application/json

401

Authentication failure

application/json

429

Rate Limit Exceeded or Daily Quota Exceeded

application/json

500

Internal Nightfall Error

application/json

get

/violations/search

Developer APIs

Welcome to Developer APIs Documentation

Introduction to Developer APIs

Overview

hashtagScan APIs

hashtagWorkflow APIs

hashtagKey Features

hashtagCustomizable and Built-in Machine Learning-based Detectors

hashtagA Flexible Data Security Solution

hashtagUsing the API

hashtagWhere to Go From Here

Authentication and Security

Key Concepts

Entities and Terms to Know

hashtagDetectors

Setting Up Nightfall

Creating API Key

Creating Policies

hashtagConfiguring Webhook Alerts

Scanning Text

Scanning Files

Webhooks and Asynchronous Notifications

Accessing Your Webhook Signing Key

Scanning Features

Scanning Images for patterns using Custom Regex Detectors

PHI Detection Rules

Test Datasets

Errors

hashtagHTTP Error Codes

Nightfall Playground

Nightfall APIs

DLP APIs - Firewall for AI Platform

DLP APIs - Native SaaS Apps

Policy Scope Update APIs

Exfiltration Prevention APIs

Posture Management APIs

SaaS App and Device Management APIs

Common Use Cases

hashtagSecurity Investigations

Query Examples

hashtagBasic Searches

Support & Resources

hashtagGetting Help

Nightfall Software Development Kit (SDK)

Overview

Language Specific Guides

Overview

Tutorials

Nightfall Use Cases

Overview

FAQs

What Can I do with the Firewall for AI

How quickly can I get started with Firewall for AI?

What types of data can I scan with API?

What types of detectors are supported out of the box?

Can I customize or bring my own detectors?

What is the pricing model?

How do I know my data is secure?

How do I get in touch with you?

Can I test out the detection and my own detection rules before writing any code?

How does Nightfall support custom data types?

Contact Us

hashtagSchedule a Demo

hashtagEmail Us

Welcome to Developer APIs Documentation

Authentication and Security

Overview

hashtagScan APIs

hashtagWorkflow APIs

hashtagKey Features

hashtagCustomizable and Built-in Machine Learning-based Detectors

hashtagA Flexible Data Security Solution

hashtagUsing the API

hashtagWhere to Go From Here

Scanning Features

Can I customize or bring my own detectors?

Nightfall Playground

What types of data can I scan with API?

What types of detectors are supported out of the box?

How do I know my data is secure?

Scan APIs

Workflow APIs

Key Features

Customizable and Built-in Machine Learning-based Detectors

A Flexible Data Security Solution

Using the API

Where to Go From Here

Detectors

Configuring Webhook Alerts

HTTP Error Codes

Security Investigations

Basic Searches

Getting Help

Schedule a Demo

Email Us

Scan APIs

Workflow APIs

Key Features

Customizable and Built-in Machine Learning-based Detectors

A Flexible Data Security Solution

Using the API

Where to Go From Here

Getting Help

Additional Learning Resources

🚧Be Sure to Record the API Key's Value

Configuring Webhook Alerts

HTTP Error Codes

Schedule a Demo

Email Us

Detectors

Basic Searches

Security Investigations

Custom Detectors

Exclusion Rules

Context Rules

Returning Surrounding Context

Detection Rules

Confidence Levels

Policies

User-Specific Queries

Integration-Specific

Advanced Analysis

Remediation Actions

Insider Threat Response

Bulk Remediation

Compliance Reporting

Data Exfiltration Detection

Permission Audits

Overall Coverage

Explicit Labeling and Endpoint Validation for Popular Services

Key Detection Example