Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The native SaaS app APIs can be utilized by customers using Nightfall’s SaaS apps, supported natively, to fetch violations, search violations by app meta-data attributes, and fetch findings within violations. These DLP APIs do not provide access to violations for apps scanned via the developer platform. These APIs require you to create an API key as outlined in the . However, to use these APIs, you need not create any detectors, detection rules, and policies in the developer platform.
If you are using Nightfall SaaS apps, you can use APIs to fetch violations, search through the violations, and fetch specific findings within the Violations. To scan data in any custom apps or cloud infrastructure services like AWS S3, you must use the APIs in the section.
To prevent misuse and ensure the stability of our platform, we enforce a rate limit on an API Key and endpoint basis, similar to the way many other APIs enforce rate limits.
When operating under our Free plan, accounts and their corresponding API Keys have a rate limit of 5 requests per second on average, with support for bursts of 15 requests per second. If you upgrade to a paid plan – the Enterprise plan – this rate increases to a limit of 10 requests per second on average and bursts of 50 requests per second.
Free
5
15
Enterprise
10
50
The Nightfall API follows standard practices and conventions to signal when these rate limits have been exceeded.
Successful requests return a header X-Rate-Limit-Remaining with the integer number of requests remaining before errors will be returned to the client.
When your application exceeds the rate limit for a given API endpoint, the Nightfall API will return an HTTP response code of 429 "Too Many Requests.” If your use case requires increased rate limiting, please reach out to support@nightfall.ai.
Additionally, these unsuccessful requests return the number of seconds to wait before retrying the request in a Retry-After Header.
Your Request Rate Limiting throttles how frequently you can make requests to the API. You can monitor your rate limit usage via the `X-Rate-Limit-Remaining` header, which tells you how many remaining requests you can make within the next second before being throttled.
Your Quota limits how many requests you can make within a given period. Your current remaining quota and the end of your current quota period are denoted by the following response headers.
X-Quota-Remaining
string
The requests remaining in your quota for this period. Will be reset to the amount specified in your billing plan at the end of your quota cycle.
X-Quota-Period-End
datetime
The date and time at which your quota will be reset, encoded as a string in the RFS-3339 format.
For the free plan, we allow 5 requests per second and 10000 requests in a day.
Get findings for a specific violation
/violations/{violationId}/findings
The UUID of the violation
Cursor for getting the next page of results
Number of findings to fetch in one page (max 1000)
Fetch a violation by ID
/violations/{violationId}
The UUID of the violation to fetch
Perform an action on a list of violations. If an action can't be performed on a violation, that violation is ignored. Depending on the action, it could be processed immediately or queued.
/violations/actions
The action to perform on the violations
ACKNOWLEDGE, REDACT, QUARANTINE, ALLOW_QUARANTINE, REJECT_QUARANTINE, REMOVE_INTERNAL_USERS, REMOVE_EXTERNAL_USERS, DOMAIN_WIDE_LINK, RESTRICTED_LINK, DELETE, IGNORE, NOTIFY_SLACK, NOTIFY_EMAIL, UNACKNOWLEDGE, DISABLE_DOWNLOAD, CREATE_JIRA_ISSUE, MARK_AS_PRIVATE, DELETE_ATTACHMENT, MANUAL_UNDO, RESOLVE, NOTIFY_TEAMS, NOTIFY_GITHUB, SOFT_DELETE, HARD_DELETE, RESTRICT_TO_OWNERThe UUIDs of the violations to perform the action on
Fetch a list of violations based on some filters
/violations/search
Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC
Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC
Unix timestamp in seconds, filters records updated > the value
The maximum number of records to be returned in the response
Cursor for getting the next page of results
Sort key and direction, defaults to descending order by creation time
TIME_ASC, TIME_DESC, RELEVANCE, RISK_ASC, RISK_DESCThe query containing filter clauses
Query structure and terminology
A query clause consists of a field followed by an operator followed by a value:
| term | value |
|---|---|
| clause | user_email:"amy@rocketrides.io" |
| field | user_email |
| operator | : |
| value | amy@rocketrides.io |
You can combine multiple query clauses in a search by separating them with a space.
Field types, substring matching, and numeric comparators
Every search field supports exact matching with a :. Certain fields such as user_email and user_name support substring matching.
Quotes
You may use quotation marks around string values. Quotation marks are required in case the value contains spaces. For example:
user_mail:john@example.comuser_name:"John Doe"Special Characters
+ - && || ! ( ) { } [ ] ^ " ~ * ? : are special characters need to be escaped using \. For example:
(1+1):2 should be searched for using \(1\+1)\:2Search Syntax
The following table lists the syntax that you can use to construct a query.
| SYNTAX | USAGE | DESCRIPTION | EXAMPLES |
|---|---|---|---|
: |
field:value | Exact match operator (case insensitive) | state:"pending" returns records where the currency is exactly "PENDING" in a case-insensitive comparison |
(space) |
field1:value1 field2:value2 | The query returns only records that match both clauses | state:active slack.channel_name:general |
OR |
field:(value1 OR value2) | The query returns records that match either of the values (case insensitive) | state:(active OR pending) |
Query Fields
| param | description |
|---|---|
| state | the violation states to filter on |
| user_email | the emails of users updating the resource resulting in the violation |
| user_name | the usernames of users updating the resource resulting in the violation |
| integration_name | the integration to filter on |
| confidence | one or more likelihoods/confidences |
| policy_id | one or more policy IDs |
| detection_rule_id | one or more detection rule IDs |
| detector_id | one or more detector IDs |
| risk_label | the risk label to filter on |
| risk_source | the risk determination source to filter on |
| slack.channel_name | the slack channel names to filter on |
| slack.channel_id | the slack channel IDs to filter on |
| slack.workspace | the slack workspaces to filter on |
| confluence.parent_page_name | the names of the parent pages in confluence to filter on |
| confluence.space_name | the names of the spaces in confluence to filter on |
| gdrive.drive | the drive names in gdrive to filter on |
| jira.project_name | the jira project names to filter on |
| jira.ticket_number | the jira ticket numbers to filter on |
| salesforce.org_name | the salesforce organization names to filter on |
| salesforce.object | the salesforce object names to filter on |
| salesforce.record_id | the salesforce record IDs to filter on |
| github.author_email | the github author emails to filter on |
| github.branch | the github branches to filter on |
| github.commit | the github commit ids to filter on |
| github.org | the github organizations to filter on |
| github.repository | the github repositories to filter on |
| github.repository_owner | the github repository owners to filter on |
| teams.team_name | the m365 teams team names to filter on |
| teams.channel_name | the m365 teams channels to filter on |
| teams.channel_type | the m365 teams channel types to filter on |
| teams.team_sensitivity | the m365 teams sensitivities to filter on |
| teams.sender | the m365 teams senders to filter on |
| teams.msg_importance | the m365 teams importance to filter on |
| teams.msg_attachment | the m365 teams attachment names to filter on |
| teams.chat_id | the m365 teams chat ID to filter on |
| teams.chat_type | the m365 teams chat type to filter on |
| teams.chat_topic | the m365 teams chat topic to filter on |
| teams.chat_participant | the m365 teams chat participant's display name to filter on |
| onedrive.drive_owner | drive owner's display name to filter on |
| onedrive.drive_owner_email | drive owner's email to filter on |
| onedrive.file_name | the file name to filter on |
| onedrive.created_by | the m365 user, who created the file in the drive, display name to filter on |
| onedrive.created_by_email | the m365 users, who created the file in the drive, email to filter on |
| onedrive.modified_by | the m365 users, who last modified the file in the drive, display name to filter on |
| onedrive.modified_by_email | the m365 users, who last modified the file in the drive, email to filter on |
| zendesk.ticket_status | the zendesk ticket status to filter on |
| zendesk.ticket_title | the zendesk ticket titles to filter on |
| zendesk.ticket_group_assignee | the zendesk ticket assignee groups to filter on |
| zendesk.current_user_role | the zendesk ticket current assignee user's roles to filter on |
| notion.created_by | the names of the users creating a resource in notion to filter on |
| notion.last_edited_by | the names of the users editing a resource in notion to filter on |
| notion.page_title | the page names in notion to filter on |
| notion.workspace_name | the workspace names in notion to filter on |
| gmail.user_name | the names of the sender to filter on |
| gmail.from | the email of sender to filter on |
| gmail.to | the email or name of recipients to filter on |
| gmail.cc | the email or name of cc to filter on |
| gmail.bcc | the email or name of bcc to filter on |
| gmail.thread_id | the thread id of email to filter on |
| gmail.subject | the subject of email to filter on |
| gmail.attachment_name | the name of attachment to filter on |
| gmail.attachment_type | the type of attachment to filter on |
Annotate a finding
/findings/{findingId}/annotate
The UUID of the finding to annotate
The annotation type
DETECTOR_FALSE_POSITIVE, COMPANY_IGNORED_FALSE_POSITIVE, DETECTOR_TRUE_POSITIVEThe comment to add to the annotation
Whether the annotation applies to all findings of this sensitive data (defaults to true)
Remove the annotation for a finding
/findings/{findingId}/unannotate
The UUID of the finding to unannotate
No body
Fetch an annotation by ID
/annotations/{annotationId}
The UUID of the annotation to fetch
Fetch a list of violations for a period
/violations
Unix timestamp in seconds, filters records created ≥ the value, defaults to -90 days UTC
Unix timestamp in seconds, filters records created < the value, defaults to end of the current day UTC
Unix timestamp in seconds, filters records updated > the value
The maximum number of records to be returned in the response
Cursor for getting the next page of results
Update a policy user scope, define inclusion/exclusion rule for users using user emails. Only supports Google Drive policies, separates internal or external users based on google domains registered in Nightfall. You can use this endpoint with Nightfall Sensitive Data Protction, Exfiltration Prevention, and Data Security Posture Management.
/{policyID}/scope/users
The UUID of the policy to update
Return a list of Github repositories that Nightfall has access to. Each Github repository includes details like whether the repository is getting monitored or not, the last scanned time the Nightfall ran the scan against the applicable policies.
/github/repositories
The maximum number of records to be returned in the response
Cursor for getting the next page of results