Violation Monitoring

The Violations monitoring console within the Nightfall app provides an instantaneous, real-time view of violations across all integrations with the ability to provide remediation for violations that have occurred within the past 30 days.
The Violations Monitoring Console is available through the NIghtfall app by selecting “Violations” from the left hand navigation menu.
You may filter the Violations displayed based on the Integration, Detector and Likelihood.
Filter for violations
You can search and view using any one of the filters:
  • Detector
  • Integration
  • Likelihood
  • Status
  • User
A listing showing the summary of Violations that have been detected is displayed in the Violations section.
View Violations

Violation Statuses

These Violations may be filtered by their status. Statuses include the following:
The active status applies to any un-remediated violations that require immediate attention. This will include new violations that have never been remediated via Slack alerts or from the Nightfall console. At any point in time, security teams should start looking at active alerts that need to be triage and remediate data security risks.
The Actioned status is applied violations that have been remediated by at least one action (available actions vary based on the integration).
The Ignored status is assigned violations that do not require any further action. The violations could be redundant violation notifications, or false positives.
Expired violations for which the data has been moved to a temporary location (e.g. a message in Slack moved to a temporary Slack channel) where they can be either rejected or approved. All quarantined violations can be approved or rejected similar to how it is possible today on Slack alerts.
Reported violations are those that were detected but marked as ignored as false positives.
Information on the violations may be expanded to show more detail. The detail that is shown will be determined by the integration in which the violation was detected.
See documentation on each integration for specifics on what data is shown for each violation that is reported.

Taking Action on Violations

For each violation, you will have a number of options available that will allow you to react to the violation through the "More Options" context menu — the ellipses (...) button on the top right side of the violation.
The options available in this context menu will vary based on the integration based on the functionality and technical limitations of that integration. For specifics on which features are available, you should consult documentation on the particular integration.
Violations Actions
Google Drive
The following is an overview of the options typically available.
Acknowledge will send an email alert about the policy violation to the email account associated with your login.
Delete the message or file with the sensitive data.
Send a message to the individual who caused the violation so you may coach end users with a message and contextual metadata about the violation. Depending on the integration, you may have the option to send this notification by either Email or Slack direct message.
If the violation was detected in error or is otherwise not considered serious, you may mark it as ignored. This transitions the violations to the “Reported” tab in teh console.
Remediation Options
Remediation options will vary depending upon the integration.
You may be able to redact the content in the source where violation was found such that the most sensitive data is no longer or only partially visible by replacing characters with an asterisk (*). This is available for messages in Slack enterprise edition and certain text fields in JIRA (description, summary, and custom fields that are text).
If you do not wish to immediately take remediation action but want to isolate the data for further review, an option available for Slack messages is to quarantine the data so it will not be exposed.
Alternatively you may prevent the content from being accessed either by a link or by a download, as is the case with access to files on Google Drive.