Filter Nightfall Events based on parameters.
You can filter Events based on several parameters, to view violations that occurred:
During specific time periods. You can filter based on pre-set time ranges of last 7 days, 30 days, 90 days and 180 days,
Integration - the application that is being monitored by Nightfall.
Detector - the detector that you selected as part of your policies to monitor.
Likelihood - the confidence level of the detection by Nightfall.
Status - the current current status of the violation
User - the user associated to the violation
To filter violations,
Select a Filter.
Select an Option. You can select one or many options.
Click Apply. The filtered list of violations displays.
Note: Nightfall offers additional monitoring capabilities to meet various monitoring needs. You can learn more about using email, Slack and other monitoring options using our supported alerts destinations including alerting to http endpoints using webhook alerts.
Learn more about the search operators provided by Nightfall, to filter Events.
This document describes all the operators provided by Nightfall to perform search operations on the Events page. You can use these operators to search for specific Events.
Nightfall provides you with two types of operators which are described in the following sections.
Operator Name | Description |
---|
This operator allows you to filter violations using the Confluence page's parent page name in which the Event was discovered.
This operator allows you to filter Events using Confluence's space name in which the Event was discovered.
This operator allows you to filter Events using the Email ID of the GitHub user who triggered the Event.
This operator allows you to filter Events using the name of the GitHub branch in which the Event was triggered.
This operator allows you to filter Events using the GitHub commit ID in which the Event was discovered.
This operator allows you to filter Events using the GitHub organization name in which the Event was discovered.
This operator allows you to filter Events using the GitHub repository name in which the Event was discovered.
This operator allows you to filter Events using the name of the GitHub repository owner in which the Event was discovered.
This operator allows you to filter Events using the name of the JIRA project in which the Event was discovered.
This operator allows you to filter Events using the ticket number of the JIRA in which the Event was discovered.
This operator allows you to filter Events using the name of the user who created the notion page in which the Event was discovered.
This operator allows you to filter Events using the name of the user who last edited the notion page in which the Event was discovered.
This operator allows you to filter Events using the title of the page in which the Event was discovered.
This operator allows you to filter Events using the name of the Notion workspace in which the Event was discovered.
This operator allows you to filter Events using the ID of the Slack channel in which the Event was discovered.
This operator allows you to filter vEvents using the name of the Slack channel in which the Event was discovered.
This operator allows you to filter Event using the name of the Slack Workspace in which the Event was discovered.
This operator allows you to filter Events using the name of the channel in which the Event was discovered.
This operator allows you to filter Events using the channel type name in which the Event was discovered.
This operator allows you to filter Events using the name of the sender who triggered the Event.
This operator allows you to filter Events using the name of the team in which the Event occured.
This operator allows you to filter Events using the name of the current user who triggered the Event.
This operator allows you to filter Events using the name of the group to which the Event ticket is assigned.
This operator allows you to filter Events using the Zendesk ticket status.
This operator allows you to filter Events using the name of the Ticket.
Learn more about various status of Nightfall Events.
The Status of an Event implies the current state of the Event. For instance, an Event whose status displays Notified, implies that the end-user whose actions caused the violation has been notified about their actions. They must now take appropriate actions.
When a new Event is created in Nightfall, the status is Active. The status of the violation gets modified by one of the following methods.
Automatically: If you have configured either Admin alerting, end-user alerting, or have allowed end-user remediation, the status of the violation changes automatically.
Manually: If you apply an action on a Violation manually either from the Violations page or from any other platform, the status of the violation changes accordingly.
The various Status available in Nightfall are listed as follows.
This status implies that the Event is newly created and no action (not even notification about the Event) is implemented.
This status implies that the Nightfall admin has viewed acknowledged the Event. A further action needs to be taken in future.
This status implies that the end-users have been notified about their actions that caused the Event.
This status implies that the sensitive data that triggered the Event, is redacted.
This status implies that the entity (file, email, and so on) that contains the sensitive data is quarantined from rest of the data.
This status implies that the access to the file or entity that contains sensitive data is no longer accessible to the internal users of the organization.
This status implies that the access to the file or entity that contains sensitive data is no longer accessible to the external users who are not part of your organization.
This status implies that the file's (that contains sensitive data) access permissions have been modified.
This status implies that the file or the entity that contained the sensitive data is deleted.
This status implies that the Nightfall admin has ignored the Event either because its false positive or because they wish to look into it in the later.
This status implies that the file that contains sensitive data has been disabled from downloading. This prevents any user from downloading the file.
This status implies that the file or the entity containing sensitive data is marked as private.
This status implies that the attachment that contains sensitive data has been deleted.
This status implies that a new JIRA ticket has been created to represent this Event.
This status implies that the sensitive data has been encrypted.
This status implies that the entity containing the sensitive data has been encrypted.
This status implies that a notification has been sent to the end-user requesting justification for their actions that caused the Event.
This status implies that the end-user has provided justification of their action(s) that triggered the Event.
This status implies that the access to the file containing sensitive data is now restricted only to the owner of the file.
This status implies that the file containing sensitive data is deleted.
This implies that the entity containing sensitive data is moved to recycle bin.
This status implies that the email has been quarantined. A Nightfall admin must visit the quarantine settings in Gmail and take an action accordingly. This status is applicable only to Gmail.
This status implies that the email was sent to the recipient after scanning. There were no actions taken on the email. This status is applicable only to Gmail.
These are the violations which have been notified to the end-users. However no action has been taken by the end-users or any other user.
This status implies that the sensitive data issue in the Event has been addressed and thus the Event is resolved.
This status implies that the Event has expired since no action has been taken even after the stipulated time period.
annotation_comment | This operator allows you to filter Events using the annotation comments. |
annotation_type |
confidence | This operator allows you to filter Events using the Confidence level which can either be Possible, likely, or Very Likely. |
detection_rule_id | This operator allows you to filter Events using the unique detection rule ID. |
detector_id | This operator allows you to filter Events using the unique detector ID. |
file_name | This operator allows you to filter Events using the name of the file that triggered the violated |
file_type | This operator allows you to filter Events using the type of file that triggered the violation. |
integration_name | This operator allows you to filter Events using the integration name. |
policy_id | This operator allows you to filter Events using the unique ID of the policy. |
policy_name | This operator allows you to filter Events using the name of the policy. |
post_context |
pre_context |
quote | This operator allows you to filter Events using the quote. |
user_email | This operator allows you to filter Events using the email ID. |
user_name | This operator allows you to filter Events using the name of the user who triggered the Event. |
violation_id | This operator allows you to filter Events using the unique ID of the Event. |
Learn how to apply actions on Nightfall Events.
When an Event is registered, a Nightfall admin can take suitable action on the registered Event. The action(s) performed on an Event ensures that the prevention of sensitive data leakage. Nightfall provides a set of actions that the Nightfall admin can implement. The actions vary for each integration. You can implement an action on an Event from the Event list view or Event detail view.
While Annotations are applied to individual Findings, Actions apply to the entire Event.
When a new Event is registered, by default, the Event is assigned the Active status and you can find it under the Active tab. The Pending tab displays the list of violations on which you have taken some action but have not yet resolved them. The Resolved tab displays the list of violations that have been resolved.
IMPORTANT
You must act on the active violations within 30 days. If you do not perform any action on an active violation within 30 days, the violation expires and moves to the Expired tab.
You can apply an action on a Violation either from the Violation list view page or the Violation details page, as displayed in the following image.
The actions menu in the detail view page displays the same list of actions as in the case of the ellipsis menu. Additionally, you can view a few more actions in the action menu which may not be present in the ellipsis menu.
The list of Actions provided by Nightfall are as follows.
The action copies the link to the Event. You can save or send this link to directly open the Event. This action is available only on the Event detail view.
This action opens the document from within the integration that contains sensitive data. This action is available only on the Event detail view.
This action downloads the file that contains sensitive data. If the file is deleted or moved to a different location within OneDrive, this action fails. This action is available only on the Event detail view.
This action moves the Event to the Ignored tab. For Google Drive, you can choose to Ignore multiple existing Events or future violations simultaneously. To learn more about the Ignore all feature in Google Drive, see Manage Google Drive Events (step 5).
Acknowledge action sends an email alert about the policy Event to the email account associated with your login.
This action allows you to notify end users about the Event. The notification can be via Slack, Email or MS Teams (varies for each integration)
This action allows you to select a JIRA project and create a ticket for this Event.
This action redacts the sensitive data found.
This action temporarily moves files or sensitive data from the original place in which it was discovered to a quarantined Nightfall space for further review. You can restore the quarantined items or permanently remove them by approving or rejecting them through Nightfall alerts.
This action modifies the link setting to anyone signed in to an account in your organization to use the link to your file.
This action applies to Google Drive integration and disables download, print, and copy actions for Commenter and Viewer roles. Editor roles will retain all actions.
This action deletes the attachment with sensitive tokens in a ticket comment (public replies and internal notes). You cannot revert this action.
This action modifies the permissions of a ticket comment from a public reply to an internal note. Converting to an internal note means the ticket comment will no longer be visible to the end user. This action is permanent.
This action removes the page from the web and/or removes guest access to the page. This action is active when it applies to the page at the time of the violation
This action is specific to the GitHub integration and sends a notification to GitHub about the violation.
This action marks the violation as resolved. You can revert this action.
The following table displays the list of all the Nightfall integrations and the Actions supported for each of these integrations.
Learn about the Events page in Nightfall
An Event is an incident that is triggered when a data leak is detected by Nightfall. The Data Sensitive Events page displays all the details about the data sensitive events recorded in Nightfall from all the integrations.
Before we proceed further, let's understand what exactly is a Finding and a Event.
Finding: A Finding refers to a single instance of a data leak incident detected during scanning.
Event: An Event is an incident of data leaks, and a collection of findings that were detected while scanning an entire document or data in your database.
When Nightfall scans data, a single Event can have multiple findings. For instance, consider that you upload a document to Google Drive. This document has 10 instances of secret information (10 API keys or 10 credit card numbers). These 10 instances are known as Findings. Since Nightfall scans the entire Google document at once, these 10 Findings are recorded as a single Event.
The sensitive data Event list view page consists of a table that displays the details of each Event. The contents consist of columns which are described as follows.
Column Name | Description |
---|---|
The Finding column displays the name of the detector whose condition was violated thus resulting in the generation of the Event. The Finding column displays a list of Events that originated from scanning a single file, a web page, or any other publicly available entity.
Each Event's name is the same as the Detector's name whose condition was violated. You can also view the Likelihood or confidence level (Possible, Likely, Very Likely) of an Event being an actual case of data leak and also the number of instances for each Likelihood. The Possible Likelihood Findings are displayed in blue color with a fully dotted blue circle. The Likely Finding is displayed in yellow color with a half-dotted and half-shaded yellow circle. The Very Likely Finding is displayed in red color with a red circle.
For instance, in the following image, a detector called Person name violated 28 times. Of these 28 instances of violations, 1 is Possible Event (in blue), 5 are Likely Events (in yellow), and 22 are Very Likely Events (in red).
The Event detail view consists of various sections. These sections are as follows.
Each field is highlighted and a number is associated with the highlighted field. Using the number, you can refer to the section that follows the image to learn more about the field associated with that number.
1 - Name of the Event
2 - Current Status of the Event. For more information on Event status, refer to the Event Status document.
3 - The nature (Credit card in the above image) and number of Findings (1 in the above image) in the Event.
4 - The name of the document in which the sensitive data was found (TEst Automation Action.Docx in the above image). If there are multiple documents that contain sensitive data, each document is listed here. However, in this case only one document contained sensitive data.
5 - The actual sensitive data found in the document (4242-4242-4242-4242 in the above image). The sensitive data is highlighted in yellow which indicates the Likelihood is Likely. Findings whose Likelihood are Very Likely are highlighted in red and Findings with Likelihood of Possible are highlighted in blue. For more information on Likelihood, see #working-on-eventsdocument.
6 - Number of Findings in the selected document. In the above case there is only one finding and it has a Likelihood is Possible.
The contents of this section vary for each integration. You can view the complete list of fields available in the second section after you click the Expand Details button.
The following section contains tabs for each integration. Each tab represents an integration and contains an image of the second section followed by the description of each fields.
The second section of the OneDrive detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (OneDrive in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name(s) of the policy/policies that was violated and as a result of which the Event was triggered.
Detection rule - The name(s) of the detection rule(s) within the policy that was violated.
Last modified by - The name of the user who was the last person to act on the Event.
Last modified time - The date and time when the Event was last modified.
File name - The name of the file that contains sensitive data.
OneDrive ID - The ID of the OneDrive that contains the file holding sensitive data. This field is only available for OneDrive Events.
OneDrive Owner - The name of the user who owns the OneDrive containing file(s) with sensitive data. This field is only available for OneDrive Events.
Size - The size of the file that contains sensitive data.
The second section of the Google Drive detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Google Drive in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name(s) of the policy/policies that was violated and as a result of which the Event was triggered.
Detection rule - The name(s) of the detection rule(s) within the policy that was violated.
Type - The type of the document in which sensitive data exists.
Size - The size of the document in which sensitive data exists.
Link Permissions - The link permissions of the file in which the sensitive data exists.
Viewers can Download - This is a boolean field (Yes/No) which indicates whether users can download the file that contains sensitive data.
File Owner - The email ID of the user who owns the file that contains sensitive data.
In Trash - This is a boolean field (Yes/No) which indicates whether file that contains sensitive data is moved to trash or not.
Date Created - The date and time when the file containing sensitive data was created.
Date Last Modified - The date and time when the file containing sensitive data was last modified.
Shared Drive Name - The name of the shared drive in which the file containing sensitive data resides.
Shared With - Internal - The list of internal users with whom the file is shared.
Shared With - External - The list of internal users with whom the file is shared.
Last Edited By - The email ID of the user who last edited the file that contains sensitive data.
The second section of the JIRA detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (JIRA in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Event Type - The type of the event.
Project Name - The name of the project that contains the ticket with sensitive data.
Project Type - The type of the project that contains the ticket with sensitive data.
Ticket Number - The ID of the ticket that contains the ticket with sensitive data.
Site - The URL of the JIRA site that contains the ticket with sensitive data.
The second section of the Confluence detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Confluence in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Item Name - The name of the Confluence entity that contains sensitive data.
Site - The link to the Confluence site that contains sensitive data.
Item Type - The type of the item that contains sensitive data.
Is Archived - This is a boolean field (Yes/No). It states if the Confluence entity containing sensitive data is archived or not.
Date Created - The date and time when the Confluence entity containing sensitive data, was created.
Date Last Modified - The date and time when the Confluence entity containing sensitive data, was last modified.
Labels - The Labels attached to the Confluence entity containing sensitive data, was last modified.
Space Name - The name of the Confluence space that contains sensitive data.
Author Name - The name of the user who created the Confluence entity containing sensitive data.
Author Email - The Email ID of the user who created the Confluence entity containing sensitive data.
The second section of the Confluence detail view is as shown in the following image. The image The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Salesforce in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Object Name - The name of the Salesforce Object that contains sensitive data.
Record - The unique Record ID of the row that contains sensitive data.
Content Type - The format of the file that contains sensitive data.
Event Type - The type of the event that resulted in sensitive data creation.
User - The name of the User who added sensitive data.
Organization ID - The Org ID of the Salesforce org that contains the sensitive data.
Organization Type - The nature of the Salesforce org (Production/Sandbox) that contains the sensitive data.
Organization Name - The name of the Salesforce org that contains the sensitive data.
Modified At - The date and time when the record containing sensitive data was last modified.
The second section of the Gmail detail view is as shown in the following image. The image The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Gmail in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Send Date - The date and time when the Email containing sensitive data was sent.
Subject - The Subject line of the Email that contains sensitive data.
From - The Email ID of the user who sent the Email that contains sensitive data.
To - The Email ID(s) of the recipient user who received the Email that contains sensitive data.
Cc - The Email ID(s) of the user(s) who were included in the CC field of the Email that contains sensitive data.
Bcc - The Email ID(s) of the user(s) who were included in the Bcc field of the Email that contains sensitive data.
Thread ID
The second section of the Zendesk detail view is as shown in the following image. The image The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Zendesk in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Ticket ID
Ticket Title
Date Created
Date Updated
User Role
Zendesk instance
Ticket Requestor
Group assignee
Agent Assignee
Event Type
Ticket Type
Ticket Priority
Ticket Status
Ticket Followera
The second section of the GitHub detail view is as shown in the following image. The image The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Confluence in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Commit Date - The date and time when the code containing sensitive information was committed.
Organization - The name of the GitHub organization that contains the code containing data.
Branch - The GitHub branch that contains the code which has sensitive data.
Repository - The GitHub Repository name that contains the code which has sensitive data.
Repository Type - The nature of the repository that contains the code which has sensitive data.
The second section of the Notion detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Confluence in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Workspace - The link to the Notion Workspace that contains sensitive data.
Page - The link to the Notion Page that contains sensitive data.
Page Created Date - The date and time when the Notion page containing sensitive data was created.
Last updated Date - The date and time when the Notion page containing sensitive data was last modified.
Created By - The name of the user who created the Notion page containing sensitive data.
Last Edited By - The name of the user who last edited the Notion page containing sensitive data.
Location - The location of the sensitive data.
Page ID - The unique ID of the Notion page containing sensitive data.
Shared Externally - This is a Boolean field (Yes/No) in dicating if the Notion page containing sensitive data is shared externally or not.
The second section of the MS Teams detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Confluence in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
Team Name - The name of the team that contains sensitive data.
Team ID - The unique ID of the team that contains sensitive data.
Channel Name - The name of the Channel that contains sensitive data.
Channel Membership - The membership of the Channel that contains sensitive data.
Creation Time - The date and time when the channel containing sensitive data was created.
From - The Email ID of the user who sent the message containing sensitive data.
Message Priority -
Last Edit Time - The date and time when the message was last edited.
Chat Participants -
The second section of the Slack detail view is as shown in the following image. The section after the image describes each field.
The various fields in the above section are as follows.
Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.
When - The time period when the Event was registered.
Integration Name - The Nightfall integration in which the Event was registered (Confluence in this case).
User - The user whose actions triggered the Event.
Violated Policy - The name of the policies that was violated and as a result of which the Event was triggered.
Detection rule - The name of the detection rule(s) within the policy that was violated.
File Name - The name of the file that contains sensitive data.
File Type - The type of the file that contains sensitive data.
Location - The name of the channel that contains sensitive data.
Channel Type - The type of the channel that contains sensitive data.
Members - The number of members that are present in the Channel.
The third section contains Event logs and comments. These sections are highlighted in the following image.
Event logs - The event logs section contains a log of activities performed on the Event. By default, the first log activity recorded is the Event creation activity. The next set of activities generally provide information about Event notifications sent via various notification channels and actions taken on the Event.
Comments - The comments section allows you to enter comments on the Event. The maximum character limit for the comment is 300.
If a single scanned entity (file or web page) violates multiple detector rules, Nightfall displays the list of all the detectors that the finding has violated. Such Events are displayed with a detector name, followed by a +1 (if two detectors are violated), +2 (if three detectors are violated), and so on, on the Event List view.
In the following image, you can see that the Finding has violated a detector called Credit card number and also another detector. Hence a +1 is displayed.
In the above case, if the Finding violated three detectors, +2 is displayed. If the Finding violated 4 detectors, +3 is displayed.
To view the list of detectors violated and the Likelihood (Possible, Likely, and Very Likely) of each finding discovered in the file, click the Event. This opens the Event detail view. You can view the names of the violated detectors and the number of findings on the Event detail view.
In the following image, a single file Automated upload 1728418320 has violated three detectors. The detectors are Person name, Tom Cruise with Exclusions and Phone number. The Person name detector has been violated 22 times and hence there are 22 findings for this detector. You can view each of these 22 instances of findings by clicking the 22 Person name tab and scrolling down. The findings that are highlighted in Blue are Possible findings, findings highlighted in Red are Most Likely findings, and the findings highlighted in yellow are Likely findings. There is a Showing field which displays the number of Findings and the likelihood of each finding. In the following image, the Showing field displays 22 in red. It implies that all 22 findings have the Most Likely likelihood.
The Tom Cruise with Exclusions detector has 3 findings. You can view the Likelihood of each of the 3 findings. You can view the findings that violated this detection rule by clicking the 3 tom cruise with exclusions tab.
Similarly, you can click the 3 Phone Number to view the details of the findings that violated the Phone number detector.
As learned above, a Event can have multiple findings. If you find that any of the findings discovered by Nightfall is not an actual case of data leak, you can use the Annotate feature to annotate the specific finding as a false positive. Furthermore, you can also annotate those findings, which surely are a case of data leak, as true positives. Each finding has the annotate option.
To annotate a finding:
Hover the mouse on the finding that you wish to annotate.
Click the annotation icon.
Select one of the following annotation options.
Not a Credit card number: Select this option if you feel that the Credit card number discovered by Nightfall is not a credit card number but some other number. This marks the finding as a False positive.
Not a violation: Select this option if you feel the finding discovered by Nightfall is not a violation (an imaginary credit card number shared publicly as an example). This marks the finding as a False positive.
True Positive: Select this option if you feel that the finding discovered by Nightfall is an actual case of data leak. This marks the finding as True positive.
(Optional) Enter comments for annotation.
(Optional) Turn the Apply to all identical findings toggle switch to annotate all the similar findings. Click #bulk-annotate to learn more about this feature.
Click Apply.
In step 3, of the above task, you see three options for annotation. The name of the first option depends on the nature of the Finding. For instance, if the sensitive data found is a suspected API key, the option name changes to Not an API key. If it is a Personally Identifiable Information (PII), the option name changes to Not a Personally Identifiable Information, and so on.
When you annotate a finding as Not a credit card, Not an Address, and so on, or annotate a finding as Not a Violation, the Finding is displayed as False Positive on the Finding column. If you annotate a Finding as True Positive, it is displayed as True Positive on the Finding column.
In the following image, a Violation has 25 Very Likely Findings and 28 Possible Findings. We annotate a Very Likely Finding as True Positive and a Possible Finding as Not a Violation. You can see that the values are reflected accordingly. Findings annotated as True positive are displayed in green color and Findings annotated as False Positive are displayed in grey color.
The Finding column also reflects the latest data on each finding. You can view that Very Likely Findings has reduced to 24. This is because one of them is annotated as True Positive. Similarly, Likely findings have reduced to 27. This is because one of them is annotated as False Positive.
If you accidentally annotate a Finding or annotate a Finding incorrectly, Nightfall provides remediation measures too. For accidentally annotated Findings, you can revert the annotation to return to the original Likelihood (Possible, Likely, Very Likely). For incorrectly annotated findings, you can modify the annotation.
When the Apply to all identical findings toggle switch is enabled, the following events occur.
annotation is applied to all exact matches of the finding in all the existing Events.
annotation is applied to all exact matches of the findings in new Events.
Furthermore, the Nightfall AI Smart Auto-Ignore feature performs the following tasks.
Events whose 100% of findings are annotated as false positives are automatically ignored.
When auto-ignored, an entry is added to the Event activity log for visibility
Auto-ignored Events are updated to "Ignored" status and moved to the "Resolved" tab for visibility, analysts' review, or audit.
Undo Auto-Ignore
Undo is an action available on any Event that has been automatically ignored by Nightfall AI.
Taking the undo action reverts the status of the selected Event back to the pre-ignore state.
Undo Annotation and Disable Automatic Annotation
The annotation for a specific token/finding can be undone by reverting the annotation (no change from current behavior).
When edited the "apply to all..." flag can be disabled. When disabled, future instances of the exact finding will not be automatically annotated.
You can also find more details about the Event from the Event detail view. By default, only a few details are displayed on the Event detail view. You must click the Expand details button to view all the details of the Event. You can also view the chronological order of events (annotations applied, reverted, Event resolved, and so on) on the Event. The events start from the date on which the Event was created. You can also add comments on the Event.
You can also apply various actions on the Events. The actions menu displays a list of actions that you can perform on an Event.
To learn more about Event actions, you can view the Applying Actions on Events document.
When you wish to implement an action on multiple Events simultaneously, you can use the bulk action feature. To learn more about how to use this feature, refer to the Applying Bulk Actions on Events document.
Nightfall provides you with various filters to view Events specific to an integration, User, or Status. This ensures that you view data that is specific to your requirements. The various filters are described as follows.
This filter allows you to view historical data. You can choose to view data for the last 7, 30, 90, 120, or 180 days. You can also select a custom date range by entering the date in the MM/DD/YY format. When you apply a specific period, all the data on the Event management page is fetched from the selected period till the current date. For instance, assume that the current date is 1 December 2023. If you select the time filter as Last 7 days, the data is displayed from 25 Nov 2023 to 1 December 2023. Similarly, if you select the time filter as last 30 days, the data is displayed from November 2, 2023, to December 1, 2023. By default, this filter displays the data for the Last 7 days. You can click the Last 7 Days button to edit the date.
The miscellaneous filters allow you to apply filters on various Nightfall entities. The entities are described as follows.
This filter facilitates you to view Event data specific to a Detecter.
This filter facilitates you to view Event data specific to an Integration
This filter facilitates you to view Event data specific to the Likelihood of sensitive data being detected.
This filter facilitates you to view data specific to the status of Event
This filter facilitates you to view data specific to users who triggered Events.
To apply a filter:
Click the Filter button.
In the When drop-down menu select a filter.
Note: The Select an Option drop-down menu is activated once you select a filter. The options in the drop-down menu vary for each filter selected.
Select a filter value from the Select an Option drop-down menu. For some filters (like integration filter), you can select multiple values.
(Optional) Click Add Filter to add multiple filters.
(Optional) Repeat steps 2-3 to add multiple filters.
Click Apply.
You can add multiple filters. Nightfall allows you to add a maximum of five filters.
When you add multiple filters, logical AND operation is applied between the filters. As a result, only the data that matches all the applied filters is displayed.
To remove the miscellaneous filters, click the Reset button.
If an Event is reported multiple times, Nightfall updates the Event to the new instance, instead of creating new Events. However, it maintains a trail of the Events to ensure no reporting is lost.
Filtering duplicates reduces alerts. It also saves you the time spent on analyzing each finding.
Nightfall filters duplicate findings in multiple ways. New Events are not created when:
You remove a previously reported finding. The existing Event is updated. You can view the update in the Event metadata.
a duplicate of a finding previously reported is added. The existing Event is updated.
Note: Filtering duplicate Events is currently available for Jira and Confluence.
An Event is auto-resolved:
When you remove all reported findings.
When you delete a resource (ex. ticket, comment, or page).
Consider the case of JIRA integration. If Nightfall detects a data Event in either your JIRA ticket description or JIRA ticket comments an Event is created. This Event has a single finding which was detected in the JIRA ticket. You can view the history of this Event as highlighted in the following image.
Now, consider that you add more sensitive data in the ticket. When Nightfall scans the ticket again the following events occur
A new Event is created with a single finding. This finding refers to the new sensitive data detected during the second scan.
The previous Event record is updated. It now has two findings (even more than two if multiple findings are detected on the same ticket).
You can now find the duplicate ticket information in the ticket history section.
The search bar in Events allows you to search Events in two ways as described in the following sections.
You can search for Events using a keyword. The search returns all Events that contain all the keywords submitted.
For instance, searching for a Credit Card returns all Events that contain Credit AND Card in any of the indexed Event properties.
You can search for an exact phrase. Use double quotes around the phrase (ex."Credit Card Number").
Use the AND to search for Credit Card Number Events by John Doe (ex. "Credit Card Number" AND "John Doe")
Use the Not operator to exclude Events from your search query (ex."Credit Card Number" AND "John Doe" NOT Confluence)
Nightfall provides you with search operators to search for the exact Event required. A search operator is an entity that you can use as a filtering factor. For instance, Detector_name is an operator that you can use to view Events specific to a detector. Similarly, Confidence is an operator that you can use to filter Events based on confidence levels (Very Likely, Likely, Possible).
You can use an operator as shown in the following image.
You can see that when you search for Events with Likely Confidence, the search returns all the Events in which at least one instance of Likely Finding. Similarly, when you search for Possible Confidence, the search returns all the Events that have at least one instance of Possible finding.
Nightfall also displays the last five search terms for each user. These values are stored in the user's browser cache.
Nightfall provides two types of search operators.
General Search Operators: These operators are based on Nightfall entities. These can be confidence level, Nightfall actions, Event status, and so on. To view the complete list of general search operators, see #general-operators.
Integration Search Operators: These are the search operators based on specific integrations. These operators vary for each integration. To view the complete list of integration-based search operators, see #integration-operators.
You can use multiple operators to refine your search. When you use multiple operators, Nightfall applies the AND logic between the operators. So, if you wish to view all the active Events in the Zendesk integration, you can accomplish it as shown in the following image.
You can also use a single operator to filter multiple values. For instance, to view all the Events of Zendesk and Salesforce integrations, you can use the search as shown below.
Note
:
is used as an operator delimiter for search as so :
cannot be used as a search string. If you wish to search a text with :
colon in it, replace it with ?
or *
and submit the query, else the prefix to colon would be considered an operator.
While :
is a special character that is an operator seperator for search actions, there are other special characters that cannot be used directly in the search bar. The complete list of special characters that cannot be searched directly, are as follows.
So, if your policy name contains reserved characters like && {}, you cannot use these characters directly in the search bar. You must make some changes to your search query before using them. To search any of the above special characters, you must perform any one of the following tasks:
Use an escape character \ before the special character (this will work with all special characters but not with :
)
Replace the special character with the wildcard (*).
Replace the special character with a question mark (?).
Some of the examples are as follows.
To search the policy name Google Drive! Critical_Document
, you must use one of the following search terms.
To search the policy name H&&M,
you must use one of the following search terms.
To search the policy name Google !
, you must use one of the following search terms.
Nightfall allows you to share and download the Event data. The Share option creates a link to the current view with all the filters applied. When you click this link,the Events page opens with all the filters applied.
The Export option, creates a CSV file with all the event data. The CSV file is mailed to the logged in user's Email ID. The CSV file contains all the filters which were applied before initiating the download process. Click Export to CSV to start the export process.
Once you click the Export to CSV button, a pop up window comes up. Click Download and Send to Email.
You receive an Email from Nightfall with the subject line Nightfall - Report <Download date>. You must click the Download Report button in the email. The link to the report expires 7 days after you receive the email.
The CSV table contains the same columns as in case of the Event list view. The file looks as follows.
Learn how to apply bulk actions on Nightfall Events.
Nightfall allows you to perform actions on a large set of Events. The Violations page displays a maximum of 50 Events. With Bulk actions, you can choose to implement an action either on the 50 Events which are currently displayed on the screen or on all the Events including the 50 displayed on the Events page.
Important
You can apply bulk action on a set of Events, only if all the violations belong to a specific integration. Hence, you must use the filter on the integration screen to view only those violations which belong to a specific integration.
You cannot apply remediation actions on expired Events. Events expire automatically after 30 days.
For example, you can apply filter to display on Events reported by the Salesforce integration. Once you apply the filter to view only Salesforce integrations, you can then apply bulk action on all the Salesforce Events.
To use the Bulk actions feature:
Navigate to the Sensitive data Events page in Nightfall.
Apply an integration filter to view the list of Events which belong to a specific integration. You must select only a single integration. If you select multiple integrations, you cannot use the Bulk actions feature.
Select the Finding check box. The 50 violations displayed on the screen are selected.
(Optional) You can also choose to select all of the violations that belong to the filtered integration.
This operator allows you to filter Events using the type of annotation. Nightfall provides three types of annotations. To learn more about annotations, see
Integration name | Available Actions |
---|---|
Confluence
Ignore Acknowledge Notify Slack Notify Email Send to JIRA Redact Delete Resolve
Google Drive
Ignore Acknowledge Notify Slack Notify Email Send to JIRA Change Link Settings Disable Download Resolve
JIRA
Ignore Acknowledge Notify Slack Notify Email Send to JIRA Redact Delete Resolve
Slack
Ignore Notify Send to JIRA
Quarantine Redact Delete (Nightfall supports both, deletion of messages and attachments) Resolve
Salesforce
Ignore Acknowledge Send to JIRA Redact Delete Resolve
Zendesk
Ignore Acknowledge Send to JIRA Redact
Mark as Private
Delete Attachment
Notify Slack
Notify Email Resolve
ChatGPT
Ignore Resolve
GitHub
Send to JIRA Acknowledge Ignore Notify GitHub Notify Email Resolve
Notion
Send to JIRA Ignore Acknowledge Notify Slack Notify Email
Remove Access
Delete Attachment Redact Resolve
MS Teams
Ignore Acknowledge Notify Email
Notify Slack Notify Teams
Change Link Settings
Disable Download Resolve
OneDrive
Ignore Acknowledge Notify Email Notify Slack Notify Teams Delete File Move to Recycle Bin Restrict to Owner Resolve
Gmail
Ignore Acknowledge Notify Email Notify Slack Resolve
Finding
The finding displays the name of the Detector that was violated. As a result of this violation, an Event was created. A single Event entry can have multiple findings.
When
The time elapsed (either in hours, days, weeks, months) since the Event was recorded. You can arrange this in increasing or decreasing order.
Integration
The integration in which the Event was recorded.
Policy & Rule
The policy and rule names that were violated.
Risk
The risk score of the Event. When you hover on the risk score, you can view if the score was assigned automatically or calculated manually by Nightfall. For more information on Risk score, see #risk-scoring.
User
The user whose actions triggered the Event (finding).
Status
The current status of the Event. You can hover on the status to view the user who triggered the current status and the date and time when the current status was reached.
Ellipsis menu
A set of remediation actions that you can take on a Event. To view the list of actions supported in Nightfall, see Applying Actions on Events.