Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Developer APIs
  • Data Classification and Discovery
  • Welcome to Developer APIs Documentation
  • Introduction to Developer APIs
    • Overview
    • Quickstart
    • Use Cases
    • Authentication and Security
  • Key Concepts
    • Entities and Terms to Know
    • Setting Up Nightfall
      • Creating API Key
      • Creating Detectors
      • Creating Detection Rules
      • Creating Policies
    • Alerting
    • Scanning Text
    • Scanning Files
      • Supported File Types
      • File Scanning and Webhooks
      • Uploading and Scanning API Calls
      • Special File Types
      • Specialized File Detectors
      • Webhooks and Asynchronous Notifications
        • Accessing Your Webhook Signing Key
        • Creating a Webhook Server
    • Scanning Features
      • Using Pre-Configured Detection Rules
        • Scanning Images for patterns using Custom Regex Detectors
      • Creating an Inline Detection Rule
      • Using Exclusion Rules
      • Using Context Rules
      • Using Redaction
      • Using Policies to Send Alerts
      • Detecting Secrets
      • PHI Detection Rules
    • Detector Glossary
    • Test Datasets
    • Errors
    • Nightfall Playground
  • Nightfall APIs
    • DLP APIs - Firewall for AI Platform
      • Rate Limits for Firewall APIs
    • DLP APIs - Native SaaS Apps
      • Policy User Scope Update API
      • Rate Limits for Native SaaS app APIs
  • Exfiltration Prevention APIs
    • Default
    • Models
  • Posture Management APIs
    • Default
    • Models
  • Nightfall Software Development Kit (SDK)
    • Overview
    • Java SDK
    • Python SDK
    • Go SDK
    • Node.JS SDK
  • Language Specific Guides
    • Overview
    • Python
    • Ruby
    • Java
  • Tutorials
    • GenAI Protection
      • OpenAI Prompt Sanitization Tutorial
      • Anthropic Prompt Sanitization Tutorial
      • LangChain Prompt Sanitization Tutorial
    • SaaS Protection
      • HubSpot DLP Tutorial
      • Zendesk DLP Tutorial
    • Observability Protection
      • Datadog DLP Tutorial
      • New Relic DLP Tutorial
    • Datastore Protection
      • Airtable DLP Tutorial
      • Amazon Kinesis DLP Tutorial
      • Amazon RDS DLP Tutorial
      • Amazon RDS DLP Tutorial - Full Scan
      • Amazon S3 DLP Tutorial
      • Elasticsearch DLP Tutorial
      • Snowflake DLP Tutorial
  • Nightfall Use Cases
    • Overview
    • GenAI Content Filtering-How to prevent exposure of sensitive data
    • Redacting Sensitive Data in 4 Lines of Code
    • Detecting Sensitive Data in SMS Automations
    • Building Endpoint DLP to Detect PII on Your Machine in Real-Time
    • Deploy a File Scanner for Sensitive Data in 40 Lines of Code
    • Using Scan API (with Python)
  • FAQs
    • What Can I do with the Firewall for AI
    • How quickly can I get started with Firewall for AI?
    • What types of data can I scan with API?
    • What types of detectors are supported out of the box?
    • Can I customize or bring my own detectors?
    • What is the pricing model?
    • How do I know my data is secure?
    • How do I get in touch with you?
    • Can I test out the detection and my own detection rules before writing any code?
    • How does Nightfall support custom data types?
    • How does Nightfall's Firewall for AI differs from other solutions?
  • Nightfall Playground
  • Login to Nightfall
  • Contact Us
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Exfiltration Prevention APIs

Default

PreviousExfiltration Prevention APIsNextModels

Was this helpful?

Search exfiltration events

get

Fetch a list of exfiltration events based on some filters

Authorizations
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -180 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

sortstring · enumOptional

Sort key and direction, defaults to descending order by creation time

Default: TIME_DESCPossible values:
querystringRequired

The query containing filter clauses

Search query language

Query structure and terminology

A query clause consists of a field followed by an operator followed by a value:

term value
clause user_email:"amy@rocketrides.io"
field user_email
operator :
value amy@rocketrides.io

You can combine multiple query clauses in a search by separating them with a space.

Field types, substring matching, and numeric comparators

Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.

Quotes

You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:

  • user_mail:john@example.com
  • user_name:"John Doe"

Special Characters

+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:

  • a value like (1+1):2 should be searched for using \(1\+1)\:2

Search Syntax

The following table lists the syntax that you can use to construct a query.

SYNTAX USAGE DESCRIPTION EXAMPLES
: field:value Exact match operator (case insensitive) state:"pending" returns records where the currency is exactly "PENDING" in a case-insensitive comparison
(space) field1:value1 field2:value2 The query returns only records that match both clauses state:active slack.channel_name:general
OR field:(value1 OR value2) The query returns records that match either of the values (case insensitive) state:(active OR pending)

Query Fields

param description
event_id the unique identifier of the exfiltration event to filter on
integration_name the name of the integration to filter on
state the state of the event to filter on (active, pending, resolved, expired)
event_type the type of exfiltration event to filter on
actor_name the name of the actor who performed the action to filter on
actor_email the email of the actor who performed the action to filter on
user_name the username of the user to filter on (backward compatibility)
user_email the email of the user to filter on (backward compatibility)
notes the comment or notes associated with the event to filter on
policy_id the unique identifier of the policy to filter on
policy_name the name of the policy to filter on
resource_id the identifier of the resource to filter on
resource_name the name of the resource to filter on
resource_owner_name the name of the resource owner to filter on
resource_owner_email the email of the resource owner to filter on
resource_content_type the content type of the resource to filter on
endpoint.device_id the device identifier for endpoint events to filter on
endpoint.machine_name the machine name for endpoint events to filter on
gdrive.permission the permission setting for Google Drive files to filter on
gdrive.shared_internal_email the internal emails with which the file is shared to filter on
gdrive.shared_external_email the external emails with which the file is shared to filter on
gdrive.drive the Google Drive name to filter on
gdrive.file_owner the owner of the Google Drive file to filter on
gdrive.label_name the label name applied to Google Drive files to filter on
salesforce.report.scope the scope of the Salesforce report to filter on
salesforce.report.event_source the event source of the Salesforce report to filter on
salesforce.report.source_ip the source IP address of the Salesforce report to filter on
salesforce.report.session_level the session level of the Salesforce report to filter on
salesforce.report.operation the operation type of the Salesforce report to filter on
salesforce.report.description the description of the Salesforce report to filter on
salesforce.file.source_ip the source IP address for Salesforce file events to filter on
salesforce.file.session_level the session level for Salesforce file events to filter on
Responses
200
Successful response
application/json
400
Invalid request parameters
application/json
401
Authentication failure
application/json
429
Rate Limit Exceeded or Daily Quota Exceeded
application/json
500
Internal Nightfall Error
application/json
get
GET /exfiltration/v1/events/search HTTP/1.1
Host: api.nightfall.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "events": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "integration": "text",
      "createdAt": 1,
      "state": "text",
      "eventType": "text",
      "policyUUIDs": [
        "123e4567-e89b-12d3-a456-426614174000"
      ],
      "assetsCount": 1,
      "userInfo": {
        "username": "text",
        "userEmail": "name@gmail.com",
        "userProfileLink": "https://example.com",
        "deviceId": "text",
        "machineName": "text",
        "isExternal": true
      },
      "appInfo": {
        "id": "text",
        "name": "text"
      }
    }
  ],
  "nextPageToken": "text"
}

Fetch exfiltration events

get

Fetch a list of exfiltration events for a period

Authorizations
Query parameters
createdAfterintegerOptional

Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC

createdBeforeintegerOptional

Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC

updatedAfterintegerOptional

Unix timestamp in seconds, filters records updated > the value

limitinteger · max: 100Optional

The maximum number of records to be returned in the response

Default: 50
pageTokenstringOptional

Cursor for getting the next page of results

Responses
200
Successful response
application/json
400
Invalid request parameters
application/json
401
Authentication failure
application/json
429
Rate Limit Exceeded or Daily Quota Exceeded
application/json
500
Internal Nightfall Error
application/json
get
GET /exfiltration/v1/events HTTP/1.1
Host: api.nightfall.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "events": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "integration": "text",
      "createdAt": 1,
      "state": "text",
      "eventType": "text",
      "policyUUIDs": [
        "123e4567-e89b-12d3-a456-426614174000"
      ],
      "assetsCount": 1,
      "userInfo": {
        "username": "text",
        "userEmail": "name@gmail.com",
        "userProfileLink": "https://example.com",
        "deviceId": "text",
        "machineName": "text",
        "isExternal": true
      },
      "appInfo": {
        "id": "text",
        "name": "text"
      }
    }
  ],
  "nextPageToken": "text"
}

Fetch exfiltration event details

get

Fetch an exfiltration event details by ID

Authorizations
Path parameters
eventIdstring · uuidRequired

The UUID of the event to fetch

Responses
200
Successful response
application/json
400
Invalid request parameters
application/json
401
Authentication failure
application/json
404
Event does not exist
application/json
429
Rate Limit Exceeded or Daily Quota Exceeded
application/json
500
Internal Nightfall Error
application/json
get
GET /exfiltration/v1/events/{eventId} HTTP/1.1
Host: api.nightfall.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "assets": {
    "id": "text",
    "name": "text",
    "path": "text",
    "sizeBytes": 1,
    "mimetype": "text",
    "owner": {
      "id": "text",
      "email": "name@gmail.com",
      "comment": "text",
      "metadata": {
        "gdrive": {
          "userBelongsToGroups": [
            "text"
          ],
          "isAdmin": true,
          "isSuspended": true,
          "createdAt": 1
        },
        "salesforce": {},
        "endpointAgent": {
          "deviceID": "text",
          "machineName": "text"
        }
      }
    },
    "comment": "text",
    "ddrViolationIDs": [],
    "metadata": {
      "gdrive": {
        "fileID": "text",
        "fileName": "text",
        "fileSize": "text",
        "fileLink": "text",
        "permissionSetting": "text",
        "sharingExternalUsers": [
          "text"
        ],
        "sharingInternalUsers": [
          "text"
        ],
        "canViewersDownload": true,
        "fileOwner": "text",
        "isInTrash": true,
        "createdAt": 1,
        "updatedAt": 1,
        "drive": "text",
        "labels": [
          "text"
        ],
        "filePermissionType": "text"
      },
      "salesforce": {
        "resourceType": "text",
        "fileResourceMetadata": {
          "fileAction": "text",
          "sourceIP": "text",
          "sessionLevel": "text"
        },
        "reportResourceMetadata": {
          "description": "text",
          "displayEntityFields": [
            "text"
          ],
          "dashboardName": "text",
          "scope": "text",
          "operation": "text",
          "recordCount": 1,
          "queriedEntities": [
            "text"
          ],
          "groupedColumnHeaders": [
            "text"
          ],
          "columnCount": 1,
          "processedRowCount": 1,
          "sourceIP": "text",
          "eventSource": "text",
          "sessionLevel": "text"
        },
        "bulkApiResourceMetadata": {
          "query": "text",
          "eventIdentifier": "text",
          "sourceIP": "text",
          "sessionKey": "text",
          "sessionLevel": "text"
        }
      },
      "endpointAgent": {
        "medium": "EXFIL_MEDIUM_USB",
        "mediumName": "text",
        "user": "text"
      }
    }
  },
  "actor": {
    "id": "text",
    "email": "name@gmail.com",
    "comment": "text",
    "metadata": {
      "gdrive": {
        "userBelongsToGroups": [
          "text"
        ],
        "isAdmin": true,
        "isSuspended": true,
        "createdAt": 1
      },
      "salesforce": {},
      "endpointAgent": {
        "deviceID": "text",
        "machineName": "text"
      }
    }
  },
  "events": {
    "type": "DOWNLOAD",
    "timestamp": 1,
    "metadata": {
      "endpointAgent": {
        "endpointBrowserUploadMetadata": {
          "browserName": "text",
          "browserVersion": "text",
          "domain": "text",
          "browserTabURL": "text",
          "browserTabTitle": "text",
          "uploadStartTime": 1,
          "uploadEndTime": 1,
          "fileName": "text",
          "originMetadata": [
            {
              "timestamp": 1,
              "browserDownloadMetadata": {
                "browserName": "text",
                "browserVersion": "text",
                "domain": "text",
                "browserTabURL": "text",
                "browserTabTitle": "text",
                "downloadStartTime": 1,
                "downloadEndTime": 1
              },
              "clipboardCopyMetadata": {
                "contentType": "CCT_TEXT",
                "browserMetadata": {
                  "browserName": "text",
                  "browserVersion": "text",
                  "domain": "text",
                  "browserTabURL": "text",
                  "browserTabTitle": "text"
                }
              }
            }
          ]
        },
        "endpointCloudSyncMetadata": {
          "app": "text",
          "accountType": "text",
          "accountName": "text",
          "email": "text",
          "destinationFilePath": "text",
          "uploadStartTime": 1,
          "uploadEndTime": 1,
          "fileName": "text"
        },
        "endpointClipboardMetadata": {
          "contentType": "text",
          "originMetadata": [
            {
              "timestamp": 1,
              "browserDownloadMetadata": {
                "browserName": "text",
                "browserVersion": "text",
                "domain": "text",
                "browserTabURL": "text",
                "browserTabTitle": "text",
                "downloadStartTime": 1,
                "downloadEndTime": 1
              },
              "clipboardCopyMetadata": {
                "contentType": "CCT_TEXT",
                "browserMetadata": {
                  "browserName": "text",
                  "browserVersion": "text",
                  "domain": "text",
                  "browserTabURL": "text",
                  "browserTabTitle": "text"
                }
              }
            }
          ],
          "destinationMetadata": {
            "browserMetadata": {
              "browserName": "text",
              "browserVersion": "text",
              "domain": "text",
              "browserTabURL": "text",
              "browserTabTitle": "text"
            }
          }
        }
      },
      "gdrive": {
        "originatingAppId": "text",
        "originatingAppName": "text",
        "isClientSyncEvent": true
      },
      "salesforce": {
        "sourceIP": "text",
        "sessionLevel": "text",
        "sessionKey": "text",
        "sfUserId": "text"
      }
    },
    "assetIDs": []
  }
}

Fetch asset activity

get

Fetch the activity history for a specific asset

Authorizations
Query parameters
assetIDstringRequired

The ID of the asset to fetch activities for

rangeStartintegerRequired

Unix timestamp in seconds, filters activities created ≥ the value

rangeEndintegerRequired

Unix timestamp in seconds, filters activities created < the value

pageTokenstringOptional

Cursor for getting the next page of results

Responses
200
Successful response
application/json
400
Invalid request parameters
application/json
401
Authentication failure
application/json
429
Rate Limit Exceeded or Daily Quota Exceeded
application/json
500
Internal Nightfall Error
application/json
get
GET /exfiltration/v1/asset/activity HTTP/1.1
Host: api.nightfall.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "activities": [
    {
      "type": "DOWNLOAD",
      "userEmail": "name@gmail.com",
      "eventTime": 1,
      "assetNames": [
        "text"
      ],
      "metadata": {
        "downloadEventMetadata": {
          "source": "text",
          "fileName": "text"
        },
        "browserUploadMetadata": {
          "domain": "text",
          "fileName": "text"
        },
        "cloudSyncMetadata": {
          "cloudApp": "text",
          "fileName": "text"
        },
        "clipboardMetadata": {
          "browserMetadata": {
            "domain": "text"
          }
        }
      }
    }
  ],
  "nextPageToken": "text"
}

Fetch actor activity

get

Fetch the activity history for a specific actor

Authorizations
Query parameters
actorIDstringRequired

The Nightfall ID of the actor to fetch activities for

rangeStartintegerRequired

Unix timestamp in seconds, filters activities created ≥ the value

rangeEndintegerRequired

Unix timestamp in seconds, filters activities created < the value

pageTokenstringOptional

Cursor for getting the next page of results

Responses
200
Successful response
application/json
400
Invalid request parameters
application/json
401
Authentication failure
application/json
429
Rate Limit Exceeded or Daily Quota Exceeded
application/json
500
Internal Nightfall Error
application/json
get
GET /exfiltration/v1/actor/activity HTTP/1.1
Host: api.nightfall.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "activities": [
    {
      "type": "DOWNLOAD",
      "userEmail": "name@gmail.com",
      "eventTime": 1,
      "assetNames": [
        "text"
      ],
      "metadata": {
        "downloadEventMetadata": {
          "source": "text",
          "fileName": "text"
        },
        "browserUploadMetadata": {
          "domain": "text",
          "fileName": "text"
        },
        "cloudSyncMetadata": {
          "cloudApp": "text",
          "fileName": "text"
        },
        "clipboardMetadata": {
          "browserMetadata": {
            "domain": "text"
          }
        }
      }
    }
  ],
  "nextPageToken": "text"
}
  • GETSearch exfiltration events
  • GETFetch exfiltration events
  • GETFetch exfiltration event details
  • GETFetch asset activity
  • GETFetch actor activity