Nightfall Events

Learn about the Events page in Nightfall

An Event is an incident that is triggered when a data leak is detected by Nightfall. The Data Sensitive Events page displays all the details about the data sensitive events recorded in Nightfall from all the integrations.

Before we proceed further, let's understand what exactly is a Finding and a Event.

Finding: A Finding refers to a single instance of a data leak incident detected during scanning.

Event: An Event is an incident of data leaks, and a collection of findings that were detected while scanning an entire document or data in your database.

Events vs Finding

When Nightfall scans data, a single Event can have multiple findings. For instance, consider that you upload a document to Google Drive. This document has 10 instances of secret information (10 API keys or 10 credit card numbers). These 10 instances are known as Findings. Since Nightfall scans the entire Google document at once, these 10 Findings are recorded as a single Event.

Event List View

The sensitive data Event list view page consists of a table that displays the details of each Event. The contents consist of columns which are described as follows.

Event Likelihood

The Finding column displays the name of the detector whose condition was violated thus resulting in the generation of the Event. The Finding column displays a list of Events that originated from scanning a single file, a web page, or any other publicly available entity.

Each Event's name is the same as the Detector's name whose condition was violated. You can also view the Likelihood or confidence level (Possible, Likely, Very Likely) of an Event being an actual case of data leak and also the number of instances for each Likelihood. The Possible Likelihood Findings are displayed in blue color with a fully dotted blue circle. The Likely Finding is displayed in yellow color with a half-dotted and half-shaded yellow circle. The Very Likely Finding is displayed in red color with a red circle.

For instance, in the following image, a detector called Person name violated 28 times. Of these 28 instances of violations, 1 is Possible Event (in blue), 5 are Likely Events (in yellow), and 22 are Very Likely Events (in red).

Event Detail View

The Event detail view consists of various sections. These sections are as follows.

Event Detail View First Section

Each field is highlighted and a number is associated with the highlighted field. Using the number, you can refer to the section that follows the image to learn more about the field associated with that number.

1 - Name of the Event

2 - Current Status of the Event. For more information on Event status, refer to the Event Status document.

3 - The nature (Credit card in the above image) and number of Findings (1 in the above image) in the Event.

4 - The name of the document in which the sensitive data was found (TEst Automation Action.Docx in the above image). If there are multiple documents that contain sensitive data, each document is listed here. However, in this case only one document contained sensitive data.

5 - The actual sensitive data found in the document (4242-4242-4242-4242 in the above image). The sensitive data is highlighted in yellow which indicates the Likelihood is Likely. Findings whose Likelihood are Very Likely are highlighted in red and Findings with Likelihood of Possible are highlighted in blue. For more information on Likelihood, see Working on Eventsdocument.

6 - Number of Findings in the selected document. In the above case there is only one finding and it has a Likelihood is Possible.

Event Detail View Second Section

The contents of this section vary for each integration. You can view the complete list of fields available in the second section after you click the Expand Details button.

The following section contains tabs for each integration. Each tab represents an integration and contains an image of the second section followed by the description of each fields.

The second section of the OneDrive detail view is as shown in the following image. The section after the image describes each field.

The various fields in the above section are as follows.

  • Actions Taken - The latest action taken on the Event. If no action is taken yet, this field is empty.

  • When - The time period when the Event was registered.

  • Integration Name - The Nightfall integration in which the Event was registered (OneDrive in this case).

  • User - The user whose actions triggered the Event.

  • Violated Policy - The name(s) of the policy/policies that was violated and as a result of which the Event was triggered.

  • Detection rule - The name(s) of the detection rule(s) within the policy that was violated.

  • Last modified by - The name of the user who was the last person to act on the Event.

  • Last modified time - The date and time when the Event was last modified.

  • File name - The name of the file that contains sensitive data.

  • OneDrive ID - The ID of the OneDrive that contains the file holding sensitive data. This field is only available for OneDrive Events.

  • OneDrive Owner - The name of the user who owns the OneDrive containing file(s) with sensitive data. This field is only available for OneDrive Events.

  • Size - The size of the file that contains sensitive data.

Event Detail View Third Section

The third section contains Event logs and comments. These sections are highlighted in the following image.

  • Event logs - The event logs section contains a log of activities performed on the Event. By default, the first log activity recorded is the Event creation activity. The next set of activities generally provide information about Event notifications sent via various notification channels and actions taken on the Event.

  • Comments - The comments section allows you to enter comments on the Event. The maximum character limit for the comment is 300.

Working on Events

If a single scanned entity (file or web page) violates multiple detector rules, Nightfall displays the list of all the detectors that the finding has violated. Such Events are displayed with a detector name, followed by a +1 (if two detectors are violated), +2 (if three detectors are violated), and so on, on the Event List view.

In the following image, you can see that the Finding has violated a detector called Credit card number and also another detector. Hence a +1 is displayed.

In the above case, if the Finding violated three detectors, +2 is displayed. If the Finding violated 4 detectors, +3 is displayed.

To view the list of detectors violated and the Likelihood (Possible, Likely, and Very Likely) of each finding discovered in the file, click the Event. This opens the Event detail view. You can view the names of the violated detectors and the number of findings on the Event detail view.

In the following image, a single file Automated upload 1728418320 has violated three detectors. The detectors are Person name, Tom Cruise with Exclusions and Phone number. The Person name detector has been violated 22 times and hence there are 22 findings for this detector. You can view each of these 22 instances of findings by clicking the 22 Person name tab and scrolling down. The findings that are highlighted in Blue are Possible findings, findings highlighted in Red are Most Likely findings, and the findings highlighted in yellow are Likely findings. There is a Showing field which displays the number of Findings and the likelihood of each finding. In the following image, the Showing field displays 22 in red. It implies that all 22 findings have the Most Likely likelihood.

The Tom Cruise with Exclusions detector has 3 findings. You can view the Likelihood of each of the 3 findings. You can view the findings that violated this detection rule by clicking the 3 tom cruise with exclusions tab.

Similarly, you can click the 3 Phone Number to view the details of the findings that violated the Phone number detector.

Annotating Findings

As learned above, a Event can have multiple findings. If you find that any of the findings discovered by Nightfall is not an actual case of data leak, you can use the Annotate feature to annotate the specific finding as a false positive. Furthermore, you can also annotate those findings, which surely are a case of data leak, as true positives. Each finding has the annotate option.

To annotate a finding:

  1. Hover the mouse on the finding that you wish to annotate.

  2. Click the annotation icon.

  1. Select one of the following annotation options.

  • Not a Credit card number: Select this option if you feel that the Credit card number discovered by Nightfall is not a credit card number but some other number. This marks the finding as a False positive.

  • Not a violation: Select this option if you feel the finding discovered by Nightfall is not a violation (an imaginary credit card number shared publicly as an example). This marks the finding as a False positive.

  • True Positive: Select this option if you feel that the finding discovered by Nightfall is an actual case of data leak. This marks the finding as True positive.

  1. (Optional) Enter comments for annotation.

  2. (Optional) Turn the Apply to all identical findings toggle switch to annotate all the similar findings. Click Bulk Annotate to learn more about this feature.

  3. Click Apply.

In step 3, of the above task, you see three options for annotation. The name of the first option depends on the nature of the Finding. For instance, if the sensitive data found is a suspected API key, the option name changes to Not an API key. If it is a Personally Identifiable Information (PII), the option name changes to Not a Personally Identifiable Information, and so on.

When you annotate a finding as Not a credit card, Not an Address, and so on, or annotate a finding as Not a Violation, the Finding is displayed as False Positive on the Finding column. If you annotate a Finding as True Positive, it is displayed as True Positive on the Finding column.

In the following image, a Violation has 25 Very Likely Findings and 28 Possible Findings. We annotate a Very Likely Finding as True Positive and a Possible Finding as Not a Violation. You can see that the values are reflected accordingly. Findings annotated as True positive are displayed in green color and Findings annotated as False Positive are displayed in grey color.

The Finding column also reflects the latest data on each finding. You can view that Very Likely Findings has reduced to 24. This is because one of them is annotated as True Positive. Similarly, Likely findings have reduced to 27. This is because one of them is annotated as False Positive.

If you accidentally annotate a Finding or annotate a Finding incorrectly, Nightfall provides remediation measures too. For accidentally annotated Findings, you can revert the annotation to return to the original Likelihood (Possible, Likely, Very Likely). For incorrectly annotated findings, you can modify the annotation.

Bulk Annotate

When the Apply to all identical findings toggle switch is enabled, the following events occur.

  • annotation is applied to all exact matches of the finding in all the existing Events.

  • annotation is applied to all exact matches of the findings in new Events.

Furthermore, the Nightfall AI Smart Auto-Ignore feature performs the following tasks.

  • Events whose 100% of findings are annotated as false positives are automatically ignored.

  • When auto-ignored, an entry is added to the Event activity log for visibility

  • Auto-ignored Events are updated to "Ignored" status and moved to the "Resolved" tab for visibility, analysts' review, or audit.

Undo Auto-Ignore

  • Undo is an action available on any Event that has been automatically ignored by Nightfall AI.

  • Taking the undo action reverts the status of the selected Event back to the pre-ignore state.

Undo Annotation and Disable Automatic Annotation

  • The annotation for a specific token/finding can be undone by reverting the annotation (no change from current behavior).

  • When edited the "apply to all..." flag can be disabled. When disabled, future instances of the exact finding will not be automatically annotated.

View Event Details

You can also find more details about the Event from the Event detail view. By default, only a few details are displayed on the Event detail view. You must click the Expand details button to view all the details of the Event. You can also view the chronological order of events (annotations applied, reverted, Event resolved, and so on) on the Event. The events start from the date on which the Event was created. You can also add comments on the Event.

Apply Actions on Events

You can also apply various actions on the Events. The actions menu displays a list of actions that you can perform on an Event.

To learn more about Event actions, you can view the Applying Actions on Events document.

Bulk Actions

When you wish to implement an action on multiple Events simultaneously, you can use the bulk action feature. To learn more about how to use this feature, refer to the Applying Bulk Actions on Events document.

Filtering Data

Nightfall provides you with various filters to view Events specific to an integration, User, or Status. This ensures that you view data that is specific to your requirements. The various filters are described as follows.

Historic Data Filter

This filter allows you to view historical data. You can choose to view data for the last 7, 30, 90, 120, or 180 days. You can also select a custom date range by entering the date in the MM/DD/YY format. When you apply a specific period, all the data on the Event management page is fetched from the selected period till the current date. For instance, assume that the current date is 1 December 2023. If you select the time filter as Last 7 days, the data is displayed from 25 Nov 2023 to 1 December 2023. Similarly, if you select the time filter as last 30 days, the data is displayed from November 2, 2023, to December 1, 2023. By default, this filter displays the data for the Last 7 days. You can click the Last 7 Days button to edit the date.

Miscellaneous Filters

The miscellaneous filters allow you to apply filters on various Nightfall entities. The entities are described as follows.

Detector

This filter facilitates you to view Event data specific to a Detecter.

Integration

This filter facilitates you to view Event data specific to an Integration

Likelihood

This filter facilitates you to view Event data specific to the Likelihood of sensitive data being detected.

Status

This filter facilitates you to view data specific to the status of Event

User

This filter facilitates you to view data specific to users who triggered Events.

To apply a filter:

  1. Click the Filter button.

  2. In the When drop-down menu select a filter.

Note: The Select an Option drop-down menu is activated once you select a filter. The options in the drop-down menu vary for each filter selected.

  1. Select a filter value from the Select an Option drop-down menu. For some filters (like integration filter), you can select multiple values.

  1. (Optional) Click Add Filter to add multiple filters.

  2. (Optional) Repeat steps 2-3 to add multiple filters.

  3. Click Apply.

  • You can add multiple filters. Nightfall allows you to add a maximum of five filters.

  • When you add multiple filters, logical AND operation is applied between the filters. As a result, only the data that matches all the applied filters is displayed.

  • To remove the miscellaneous filters, click the Reset button.

Automated Event Duplication Management

If an Event is reported multiple times, Nightfall updates the Event to the new instance, instead of creating new Events. However, it maintains a trail of the Events to ensure no reporting is lost.

Filtering duplicates reduces alerts. It also saves you the time spent on analyzing each finding.

Nightfall filters duplicate findings in multiple ways. New Events are not created when:

  • You remove a previously reported finding. The existing Event is updated. You can view the update in the Event metadata.

  • a duplicate of a finding previously reported is added. The existing Event is updated.

Note: Filtering duplicate Events is currently available for Jira and Confluence.

An Event is auto-resolved:

  • When you remove all reported findings.

  • When you delete a resource (ex. ticket, comment, or page).

Examples

Consider the case of JIRA integration. If Nightfall detects a data Event in either your JIRA ticket description or JIRA ticket comments an Event is created. This Event has a single finding which was detected in the JIRA ticket. You can view the history of this Event as highlighted in the following image.

Now, consider that you add more sensitive data in the ticket. When Nightfall scans the ticket again the following events occur

  • A new Event is created with a single finding. This finding refers to the new sensitive data detected during the second scan.

  • The previous Event record is updated. It now has two findings (even more than two if multiple findings are detected on the same ticket).

You can now find the duplicate ticket information in the ticket history section.

Searching Events

The search bar in Events allows you to search Events in two ways as described in the following sections.

Keyword Based Search

You can search for Events using a keyword. The search returns all Events that contain all the keywords submitted.

  • For instance, searching for a Credit Card returns all Events that contain Credit AND Card in any of the indexed Event properties.

  • You can search for an exact phrase. Use double quotes around the phrase (ex."Credit Card Number").

  • Use the AND to search for Credit Card Number Events by John Doe (ex. "Credit Card Number" AND "John Doe")

  • Use the Not operator to exclude Events from your search query (ex."Credit Card Number" AND "John Doe" NOT Confluence)

Operator Based Search

Nightfall provides you with search operators to search for the exact Event required. A search operator is an entity that you can use as a filtering factor. For instance, Detector_name is an operator that you can use to view Events specific to a detector. Similarly, Confidence is an operator that you can use to filter Events based on confidence levels (Very Likely, Likely, Possible).

You can use an operator as shown in the following image.

You can see that when you search for Events with Likely Confidence, the search returns all the Events in which at least one instance of Likely Finding. Similarly, when you search for Possible Confidence, the search returns all the Events that have at least one instance of Possible finding.

Nightfall also displays the last five search terms for each user. These values are stored in the user's browser cache.

Nightfall provides two types of search operators.

You can use multiple operators to refine your search. When you use multiple operators, Nightfall applies the AND logic between the operators. So, if you wish to view all the active Events in the Zendesk integration, you can accomplish it as shown in the following image.

You can also use a single operator to filter multiple values. For instance, to view all the Events of Zendesk and Salesforce integrations, you can use the search as shown below.

integration_name:"Zendesk" OR "Salesforce"

Note

: is used as an operator delimiter for search as so : cannot be used as a search string. If you wish to search a text with : colon in it, replace it with ? or * and submit the query, else the prefix to colon would be considered an operator.

Special Characters

While : is a special character that is an operator seperator for search actions, there are other special characters that cannot be used directly in the search bar. The complete list of special characters that cannot be searched directly, are as follows.

+ - && || ! ( ) { } [ ] ^ " ~ * ? \

So, if your policy name contains reserved characters like && {}, you cannot use these characters directly in the search bar. You must make some changes to your search query before using them. To search any of the above special characters, you must perform any one of the following tasks:

  • Use an escape character \ before the special character (this will work with all special characters but not with : )

  • Replace the special character with the wildcard (*).

  • Replace the special character with a question mark (?).

Some of the examples are as follows.

  • To search the policy name Google Drive! Critical_Document, you must use one of the following search terms.

policy_name:"Google Drive? Critical_Document"

policy_name:"Google Drive* Critical_Document"

policy_name:"Google Drive\! Critical_Document"

  • To search the policy name H&&M, you must use one of the following search terms.

policy_name:"H?&&M"

policy_name:"H*&&M"

policy_name:H\&\&M"

  • To search the policy name Google !, you must use one of the following search terms. 

    policy_name:"Google *"

policy_name:"Google ?"

policy_name:Google \!"

Export and Share Event Data

Nightfall allows you to share and download the Event data. The Share option creates a link to the current view with all the filters applied. When you click this link,the Events page opens with all the filters applied.

The Export option, creates a CSV file with all the event data. The CSV file is mailed to the logged in user's Email ID. The CSV file contains all the filters which were applied before initiating the download process. Click Export to CSV to start the export process.

Once you click the Export to CSV button, a pop up window comes up. Click Download and Send to Email.

You receive an Email from Nightfall with the subject line Nightfall - Report <Download date>. You must click the Download Report button in the email. The link to the report expires 7 days after you receive the email.

The CSV table contains the same columns as in case of the Event list view. The file looks as follows.

PreviousNightfall DashboardNextFiltering Events

Last updated