Nightfall Violations
Learn about the Violations page in Nightfall
A Violation is an incident that is triggered when a data leak is detected by Nightfall. The Violations management displays all the details about the Violations recorded in Nightfall from all the integrations.
Before we proceed further, let's understand what exactly is a Finding and a Violation.
Finding: A Finding refers to a single instance of a data leak incident detected during scanning.
Violation: A Violation is an incident of data leaks that was detected while scanning an entire document or data in your database.
Violations vs Finding
When Nightfall scans data, a single violation can have multiple findings. For instance, consider that you upload a document to Google Drive. This document has 10 instances of secret information (10 API keys or 10 credit card numbers). These 10 instances are known as Findings. Since Nightfall scans the entire Google document at once, these 10 Findings are recorded as a single violation.
Understanding Violation Management
Violations Management consists of a table that displays the details of each violation. The contents consist of columns which are described as follows.
| Column Name | Description |
|---|---|
Finding | The finding displays the name of the Detector that was violated. As a result of this violation, a violation entry is recorded. A single violation entry can have multiple findings. |
When | The time (in number of days, weeks, months) when the violation was recorded. You can arrange this in increasing or decreasing order. |
Integration | The integration in which the violation was recorded. |
Policy & Rule | The policy and rule names that were violated. |
User | The user whose actions triggered the violation (finding). |
Status | The current status of the violation. You can hover on the status to view the user who triggered the current status and the date and time when the current status was reached. |
Ellipsis menu | A set of remediation actions that you can take on a violation. To view the list of actions supported in Nightfall, see Violation Actions. |
Working on Violations
The Finding column displays the name of the detector whose condition was violated thus resulting in a Violation. The Finding column displays a list of violations that originated from by scanning a single file, a web page, or any other publicly available entity.
Each Violation's name is the same as the Detector's name whose condition was violated. You can also view the Likelihood or confidence level (Possible, Likely, Very Likely) of a Violation being an actual case of data leak and also the number of instances for each Likelihood. The Possible Likelihood Findings are displayed in blue color with a fully dotted blue circle. The Likely Finding is displayed in yellow color with a half-dotted and half-shaded yellow circle. The Very Likely Finding is displayed in red color with a red circle.
For instance, in the following image, a detector called Credit Card number is violated 155 times. Of these 155 instances of violations, 149 are Possible violations, 2 are Likely Violations, and 4 are Highly Likely to be violations.
In case of an API key violation, Nightfall detects that the sensitive data leaked is active. In such cases, Nightfall also displays a warning sign as a tooltip with a relevant message as shown in the following image.
When you click the Finding, you can view each of these 155 instances in a side window. The sensitive data that triggered the Finding is highlighted with the respective likelihood color (Red for Highly Likely, Yellow for Likely, and Blue for Possible). You can also view the file name that triggered these Findings. In this case, all 155 Findings are part of a single file called Large File (3).PDF.
If a single scanned entity (file or web page) violates multiple detector rules, Nightfall displays the list of all the detectors that the finding has violated. Such violations are displayed with a detector name, followed by a +1 (if two detectors are violated), +2 (if three detectors are violated), and so on.
In the following image, you can see that the Finding has violated a detector called Credit card number and also another detector. Hence a +1 is displayed.
In the above case, if the Finding violated three detectors, +2 is displayed. If the Finding violated 4 detectors, +3 is displayed.
To view the list of detectors violated and the Likelihood (Possible, Likely, and Very Likely) of each finding discovered in the file, click the Violation. You can see the names of the violated detectors and the number of findings.
In the following image, a single file 100k-Records_1.csv has violated two detector rules. The detectors are Credit card number and Protected Health Information. The Credit card number detector has been violated 28 times and hence there are 28 findings for this detector. The Protected Health Information detector has 4 findings. So, there are a total of 32 findings in this single Violation which were discovered while scanning the 100k-Records_1.csv file. You can view the Likelihood of each of the 32 findings.
Annotating Findings
As learned above, a violation can have multiple findings. If you find that any of the findings discovered by Nightfall is not an actual case of data leak, you can use the Annotate feature to annotate the specific finding as a false positive. Furthermore, you can also annotate those findings, which surely are a case of data leak, as true positives. Each finding has the annotate option.
To annotate a finding:
Hover the mouse on the finding that you wish to annotate.
Click the annotation icon.
Select one of the following annotation options.
Not a Credit card number: Select this option if you feel that the Credit card number discovered by Nightfall is not a credit card number but some other number. This marks the finding as a False positive.
Not a violation: Select this option if you feel the finding discovered by Nightfall is not a violation (an imaginary credit card number shared publicly as an example). This marks the finding as a False positive.
True Positive: Select this option if you feel that the finding discovered by Nightfall is an actual case of data leak. This marks the finding as True positive.
(Optional) Enter comments for annotation.
(Optional) Turn the Apply to all identical findings toggle switch to annotate all the similar findings. Click Bulk Annotate to learn more about this feature.
Click Apply.
In step 3, of the above task, you see three options for annotation. The name of the first option depends on the nature of the Finding. For instance, if the sensitive data found is a suspected API key, the option name changes to Not an API key. If it is a Personally Identifiable Information (PII), the option name changes to Not a Personally Identifiable Information, and so on.
When you annotate a finding as Not a credit card, Not an Address, and so on, or annotate a finding as Not a Violation, the Finding is displayed as False Positive on the Finding column. If you annotate a Finding as True Positive, it is displayed as True Positive on the Finding column.
In the following image, a Violation has 25 Very Likely Findings and 28 Possible Findings. We annotate a Very Likely Finding as True Positive and a Possible Finding as Not a Violation. You can see that the values are reflected accordingly. Findings annotated as True positive are displayed in green color and Findings annotated as False Positive are displayed in grey color.
The Finding column also reflects the latest data on each finding. You can view that Very Likely Findings has reduced to 24. This is because one of them is annotated as True Positive. Similarly, Likely findings have reduced to 27. This is because one of them is annotated as False Positive.
If you accidentally annotate a Finding or annotate a Finding incorrectly, Nightfall provides remediation measures too. For accidentally annotated Findings, you can revert the annotation to return to the original Likelihood (Possible, Likely, Very Likely). For incorrectly annotated findings, you can modify the annotation.
Bulk Annotate
When the Apply to all identical findings toggle switch is enabled, the following events occur.
annotation is applied to all exact matches of the finding in all the existing violations.
annotation is applied to all exact matches of the findings in new violations.
Furthermore, the Nightfall AI Smart Auto-Ignore feature performs the following tasks.
Violations whose 100% of findings are annotated as false positives are automatically ignored.
When auto-ignored, an entry is added to the violation activity log for visibility
Auto-ignored violations are updated to "Ignored" status and moved to the "Resolved" tab for visibility, analysts' review, or audit.
Undo Auto-Ignore
Undo is an action available on any violation that has been automatically ignored by Nightfall AI.
Taking the undo action reverts the status of the selected violation back to the pre-ignore state.
Undo Annotation and Disable Automatic Annotation
The annotation for a specific token/finding can be undone by reverting the annotation (no change from current behavior).
When edited the "apply to all..." flag can be disabled. When disabled, future instances of the exact finding will not be automatically annotated.
View Violation Details
You can also find more details about the violation. By default, only a few details are displayed. You must click the Expand details button to view all the details of the violation. You can also view the chronological order of events (annotations applied, reverted, violation resolved, and so on) on the violation. The events start from the date on which the violation was created. You can also add comments on the violation.
Apply Actions on Violations
You can also apply various actions to the Violation. The actions menu displays a list of actions that you can perform on a Violation. When a new violation is recorded, by default, it has the Active status and can be found in the Active tab. You must act on the active violations within 30 days. If you do not perform any action on an active violation within 30 days, the violation expires and moves to the Expired tab. The Pending tab displays the list of violations on which you have taken some action but have not yet resolved them. The Resolved tab displays the list of violations that have been resolved.
The actions available in the action menu vary for each integration. To view the list of actions supported for each integration, see Action Supported for Integration.
The actions menu displays the same list of actions as in the case of the ellipsis menu. Additionally, you can view a few more actions in the action menu which may not be present in the ellipsis menu. While Annotations are applied to individual Findings, actions apply to the whole of the violation. To view the complete list of actions that you can take on violations, see #violation-actions.
Bulk Actions
Nightfall allows you to perform actions on a large set of violations. The Violations screen displays a maximum of 50 violations. With Bulk actions, you can choose to implement an action either on the 50 violations that are currently displayed on the screen or on all the violations including the 50 displayed on the violation screen.
Important: You can apply bulk action on a set of violations, only if all the violations belong to a specific integration. Hence, you must use the filter on the integration screen to view only those violations that belong to a specific integration. Also, you cannot apply a remediation action on an expired violation (all Violations expire in 30 days).
For example, you can apply a filter to display violations reported by the Salesforce integration. Once you apply,y the filter to view only Salesforce integrations, you can then apply bulk action on all the Salesforce violations.
To use the Bulk actions feature:
Navigate to the Violations screen in Nightfall.
Apply an integration filter to view the list of violations that belong to a specific integration. You must select only a single integration. If you select multiple integrations, you cannot use the Bulk actions feature.
Select the Finding check box. The 50 violations displayed on the screen are selected.
(Optional) You can also choose to select all of the violations that belong to the filtered integration.
Select one of the actions to be performed on all the selected violations.
Click Confirm to proceed with the bulk action.
Filtering Data
Nightfall provides you with various filters to view Violations specific to an integration, User, or Status. This ensures that you view data that is specific to your requirements. The various filters are described as follows.
Historic Data Filter
This filter allows you to view historical data. You can choose to view data for the last 7, 30, 90, 120, or 180 days. When you apply a specific period, all the data on the Violation management page is fetched from the selected period till the current date. For instance, assume that the current date is 1 December 2023. If you select the time filter as Last 7 days, the data is displayed from 25 Nov 2023 to 1 December 2023. Similarly, if you select the time filter as last 30 days, the data is displayed from November 2, 2023, to December 1, 2023. By default, this filter displays the data for the last 7 days.
Miscellaneous Filters
The miscellaneous filters allow you to apply filters on various Nightfall entities. The entities are described as follows.
Detector
This filter facilitates you to view Violation data specific to a Detecter.
Integration
This filter facilitates you to view Violation data specific to an Integration
Likelihood
This filter facilitates you to view Violation data specific to the Likelihood of sensitive data being detected.
Status
This filter facilitates you to view data specific to the status of Violation.
User
This filter facilitates you to view data specific to users who triggered violations.
To apply a filter:
Click the Filter button.
Click + Add Filter.
Select a filter Entity from the When drop-down menu. The options in the Is drop-down menu are based on the filter entity selected.
Select an option or multiple in the Is drop-down menu. For instance, if you selected Integration as the entity, then you must select the check boxes for the integrations whose data you wish to view.
(Optional) Repeat steps 2-5 to add multiple filters.
Click Apply.
You can add multiple filters. Nightfall allows you to add a maximum of five filters.
When you add multiple filters, logical AND operation is applied between the filters. As a result, only the data that matches all the applied filters is displayed.
To remove the miscellaneous filters, click the Reset button.
Automated Violation Duplicate Management
If a violation is reported multiple times, Nightfall updates the violation to the new instance, instead of creating new violations. However, it maintains a trail of the violations to ensure no reporting is lost.
Filtering duplicates reduces alerts. It also saves you the time spent on analyzing each finding.
Nightfall filters duplicate findings in multiple ways. New violations are not created when:
you remove a previously reported finding. The existing violation is updated. You can view the update in the violation metadata.
a duplicate of a finding previously reported is added. The existing violation is updated.
Note: Filtering duplicate violations is currently available for Jira and Confluence.
A violation is auto-resolved:
When you remove all reported findings.
When you delete a resource (ex. ticket, comment, or page).
Examples
Consider the case of JIRA integration. If Nightfall detects a data violation in either your JIRA ticket description or JIRA ticket comments a Violation is raised. This violation has a single finding which was detected in the JIRA ticket. You can view the history of this violation as highlighted in the following image.
Now, consider that you add more sensitive data in the ticket. When Nightfall scans the ticket again the following events occur
A new violation is created with a single finding. This finding refers to the new sensitive data detected during the second scan.
The previous violation record is updated. It now has two findings (even more than two if multiple findings are detected on the same ticket).
You can now find the duplicate ticket information in the ticket history section.
Searching Violations
The search bar in Violations allows you to search violations in two ways as described in the following sections.
Keyword Based Search
You can search for violations using a keyword. The search returns all violations that contain all the keywords submitted.
For instance, searching for a Credit Card returns all violations that contain Credit AND Card in any of the indexed violation properties.
You can search for an exact phrase. Use double quotes around the phrase (ex."Credit Card Number").
Use the AND to search for Credit Card Number violations by John Doe (ex. "Credit Card Number" AND "John Doe")
Use the Not operator to exclude violations from your search query (ex."Credit Card Number" AND "John Doe" NOT Confluence)
Operator Based Search
Nightfall provides you with search operators to search for the exact violation required. A search operator is an entity that you can use as a filtering factor. For instance, Detector_name is an operator that you can use to view violations specific to a detector. Similarly, Confidence is an operator that you can use to filter violations based on confidence levels (Very Likely, Likely, Possible).
You can use an operator as shown in the following image.
You can see that when you search for Violations with Likely Confidence, the search returns all the violations in which at least one instance of Likely Finding. Similarly, when you search for Possible Confidence, the search returns all the Violations that have at least one instance of Possible finding.
Nightfall also displays the last five search terms for each user. These values are stored in the user's browser cache.
Nightfall provides two types of search operators.
You can use multiple operators to refine your search. When you use multiple operators, Nightfall applies the AND logic between the operators. So, if you wish to view all the active violations in the Zendesk integration, you can accomplish it as shown in the following image.
You can also use a single operator to filter multiple values. For instance, to view all the Violations of Zendesk and Salesforce integrations, you can use the search as shown below.
Note
If you wish to search a text with : colon in it, it is best to replace it with ? and submit the query, else the prefix to colon would be considered an operator.
Last updated
