Comment on page

Creating Scanning Policies

Follow the directions to create your first Salesforce DLP Scanning Policy
Creating scanning policies within Nightfall for Salesforce involves the following steps:
  • Creating Detectors
  • Setting up Policies
  • Selecting Objects and Fields
  • Configuring Detection Rules
  • Setting up alerts

Creating Detectors, Detection Rules

You can create new Detectors or Detection Rules, or use the ones provided by Nightfall by default. You can add up to 50 Detectors or Detection Rules within Nightfall.
To create a Detector or Detection Rule,
  1. 1.
    Click Detectors and Detection Rules.
Refer to How to create new Detectors, Detection Rules and how the detection engine works.

Setting up Policies

To set up Policies for Nightfall for Salesforce,
  1. 1.
    Click My Integrations. Select Salesforce.
  2. 2.
    Select Policies tab.
    Configure Policies.
  3. 3.
    Click + New policy.
  4. 4.
    Enter a policy name and provide a description for the policy.
  5. 5.
    Configure the objects and fields that you want Nightfall to scan.
    Select Objects and Fields for NightFall to scan.

Selecting Objects and Fields

Select from the list of objects and fields within your organization that you want to scan for sensitive data in real-time. Nightfall provides a default list of objects and fields.
To change your selection,
  1. 1.
    Click Change selection under the Scope section of your Policy. A dialogue displays.
  2. 2.
    Select the objects and fields that you want Nightfall to scan in your Salesforce instance.
  3. 3.
    Click Save. The dialog disappears. The objects and fields you selected are added to the Nightfall scan list.
NOTE: Select the fields that are related to the Detectors that you select in the next step.

Configuring Detection Rules

To configure detection rules,
  1. 1.
    Click Detection rule. The detection rules dialog displays.
  2. 2.
    Select the detection rules that you want to add to your policy.
  3. 3.
    Define which objects and fields the selected Detection Rules should apply.
  4. 4.
    Click Add.
  5. 5.
    Click Save. The alerts are set up now.

Setting up Alerts

You can now set up the alert channels when a policy violation is detected, in your Salesforce instance. You can set up any of the channels that are provided.
Select Settings tab.
  • To set up a Slack channel, but you don’t have it installed, click Install.
  • To set up an Email channel, click Email.
  • To set up a Webhook, click Webhook.
Configure Alerts.

Configuring Alerts in Slack

To receive Slack notifications, you must first install the Nightfall Slack integration. After that, it is merely a matter of providing the Slack channel name to which you want notifications sent.
By default, once Slack alerts are set up, Nightfall will send all Salesforce DLP alerts to the “#nightfall-Salesforce-alerts” channels in Slack.
Below is an example of how alerts appear in Slack:

Configuring Alerts in Email

Sending alerts about Salesforce DLP violations requires that you provide an email address under the Settings tab of the Salesforce Integration.
Below is a sample of an email sent by the solution:
Once you have your alerting options set, you can now start scanning your Salesforce instance in real time. For a reference on options for how to remediate violations, please see the link below:

Configuring Webhook Alerts

Nightfall supports sending alerting information to webhooks, which allow for programmatic handling of the data contained within the alert. For more information about how web hooks work in Nightfall, see our developer documentation on web hooks.
To configure Nightfall Salesforce DLP to use a webhook, you must provide the webhook URL in the Settings section of the Salesforce integration.
Click the “+ Webhook” button at the bottom of the alerting section and enter the address of your webhook into the modal window that appears.

Violation Notification

The following payload will be sent to the designated webhook when a violation has been detected.
It provides information about the Detection Rule that was violated (detectionRulesViolated) and where the violation was found (via the objectName and fields properties).
Remediation actions can be taken via the acknowledgeLink, redactFindingsLink, and the deleteRecordLink properties.
"detectionRulesLink": "",
"detectionRulesViolated": "SSN DR",
"eventType": "violation",
"message": "Policy violation detected in Salesforce",
"policiesLink": "",
"policiesViolated": "Account",
"service": "Salesforce",
"timestamp": "2022-06-22T06:34:30Z",
"violationID": "CRY7XI",
"violationMetadata": {
"acknowledgeLink": "",
"deleteRecordLink": "",
"event": "Record Updation",
"fields": "description",
"findingSnippets": [
"SSN: 55*********."
"findings": "US social security number (SSN) (1 Very Likely)",
"objectName": "Case",
"orgName": "NightfallProdDemo",
"orgType": "Sandbox",
"recordID": "5008K000000yP86QAE",
"recordLink": "",
"redactFindingsLink": "",
"who": "Mohit Mangnani",
"whoLink": ""
"violationTime": "22 Jun 2022 at 6:34AM UTC"