Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Developer APIs
  • Data Classification and Discovery
  • Welcome to Nightfall Documentation
  • Release Notes
    • Release Notes 2025
    • Release Notes 2021-2024
  • Introduction
    • Why Cloud DLP?
    • Introduction to Nightfall
    • Nightfall Overview
    • Cloud-native DLP vs. CASB
    • How Nightfall Works
    • Reasons to Choose Nightfall
    • Benefits of Nightfall
  • Compliance
    • How Nightfall Fits into Compliance Frameworks
    • ISO 27001 Compliance + DLP
    • SOC 2 Compliance + DLP
    • PCI Compliance + DLP
    • PHI Detector - More on Nightfall's HIPAA Compliance Detector
  • Getting Started
    • Installing Nightfall
  • Nightfall Detection Platform
    • Overview
    • Detectors
    • Choosing a Nightfall Detector
      • Compliance Use Cases
      • Data Protection Use Cases
    • Nightfall Detector Glossary
      • Secrets Detection
    • Creating Custom Detectors
      • Creating Dictionary Detector
      • Create File Type Detector
      • Create File Fingerprint Detector
      • Create Regular Expression Detector
      • Extend a Nightfall Detector
    • Create Detection Rules
    • Detection Platform Overview
    • Evaluating Detection
    • Creating Policies
      • Selecting Integration
      • Scope of the Policy
      • Detection Rules
      • Advanced Settings
      • Name and Risk Score
    • Historical Scan Detection Rules
    • Regex Library
    • Detection Platform FAQs
      • How can I reduce false positives in my findings?
      • What do different “Confidence Levels” mean?
      • What file types will Nightfall scan for sensitive data? What are the limitations?
      • How do I use Context Rules?
      • How do I use Exclusion Rules?
      • Does Nightfall have a regex library I can choose from?
      • Why does Nightfall sometimes miss to report SSN, credit card number, and so on?
      • Why does the Password Detector Report False Positive Zoom Password Findings?
  • Nightfall Detection & Policy Templates
    • Detection Rules
    • Nightfall Sample Data Sets
  • Dashboard and Events
    • Nightfall Dashboard
    • Sensitive Data Protection Events
      • Filtering Events
      • Event Filter Operators
      • Applying Actions on Events
      • Applying Bulk Actions on Events
      • Event Status
      • Deduplication and Automatic Resolution of Events
  • Setting up Alert Platforms
    • Nightfall Alert Platforms
    • Setting up Slack as an Alert Platform
    • Setting up Jira as an Alert Platform
    • Setting up MS Teams as an Alert Platform
  • Operationalizing Nightfall DLP
    • Playbook
    • Informing & Coaching Business Users
    • Alert Management Guiding Principles
    • Integrating with Security Tools
      • Integrating with SIEM
        • Integrating with Microsoft Sentinel
      • Creating Dashboards for Nightfall Alerts in Splunk
      • Creating Dashboards for Nightfall Alerts in Sumo Logic
      • Sending Alerts to Microsoft Teams
    • Frequently Asked Questions (FAQs) for End-Users
  • Nightfall Integrations
  • Nightfall for Slack
    • Nightfall for Slack: Quick Start
    • Getting Started With Nightfall for Slack
      • Requirements
        • Requirements for Nightfall DLP for Slack Enterprise
        • Requirements for Nightfall DLP for Slack Pro and Slack Business+
      • Installing Nightfall for Slack
        • Installing Nightfall DLP for Slack Enterprise
        • Installing Nightfall DLP for Slack Pro and Business+
    • Configure Alerts for Slack
    • Configuring Policies for Slack Pro and the Slack Business+ Editions
      • Slack Pro and Business+ App Selection
      • Configure Scope for Slack Pro and Slack Business+
      • Configure Detection Rules for Slack Pro and Slack Business+
      • Configure Automated Actions in Slack Pro and Slack Business+
      • Configure Advanced Settings in Slack Pro and Slack Business+
      • Risk Configuration in Slack DLP for Slack Pro and Slack Business+ Editions
      • Manage Events for Slack
    • Configuring Policies for the Slack Enterprise Edition
      • Slack App Selection
      • Configure Scope for Slack Enterprise
      • Select Detection Rules for Slack Enterprise
      • Configure Automated Actions in Slack Enterprise
      • Configure Advanced Settings for Slack Enterprise
      • Risk Configuration for Slack Enterprise
      • Manage Events for Slack Enterprise
    • FAQs
      • Can I redact sensitive message content in Slack?
      • Nightfall for Slack Pro vs Enterprise
        • Upgrading from Slack Pro to Enterprise
      • Can we customize the alert messages sent in Slack?
      • Can I Disable Detection in Private Channels or DMs?
      • What types of channels does Nightfall scan? Does Nightfall scan shared channels?
      • I am unable to view a sensitive message or file from the Nightfall alert channel.
      • Upon Slack installation, why am I seeing a 400 error mentioning a "Restricted Action"?
      • I send a sensitive message, edit it, and then admin applies the Redact action. What is the outcome?
      • How do I re-install Nightfall DLP for Slack Pro Edition?
      • How do I re-install Nightfall DLP for Slack Enterprise Edition?
  • Nightfall for GitHub
    • Getting Started
      • Requirements
      • Install Nightfall for GitHub
      • Configure Alerts for GitHub
    • Configure Policies for GitHub
      • GitHub App Selection
      • Configure Scope for GitHub
        • Use Regular Expressions to Exclude GitHub Directories
      • Configure Detection Rules for GitHub
      • Configure Advanced Settings for GitHub
      • Configure Risk Score for GitHub
    • Manage GitHub Events
    • Remediation on Nightfall for Github
  • NIGHTFALL FOR GOOGLE DRIVE
    • Getting Started
      • Requirements
      • Install Nightfall for Google Drive
      • Enable Google Drive Labels
      • Configure Alerts for Google Drive
    • Configure Policies for Google Drive
      • Google Drive App Selection
      • Configure Scope for Google Drive
      • Configure Detection Rules for Google Drive
      • Configure Advanced Settings for Google Drive
      • Risk Score for Google Drive
      • Manage Google Drive Events
  • Nightfall for Confluence
    • Getting Started
    • Install Nightfall for Confluence
      • Configure Alerts for Confluence
    • Configuring Policies for Confluence
      • Confluence App Selection
      • Configure Scope for Confluence
      • Configure Detection Rules for Confluence
      • Configure Advanced Settings for Confluence
      • Configure Risk Score for Confluence
      • Manage Confluence Events
    • FAQs
      • Page Restrictions
  • Nightfall for jira
    • Getting Started
    • Install Nightfall for Jira
      • Configuring Alerts for Jira
    • Configure Policies in Nightfall for Jira
      • Jira App Selection
      • Configure Scope in Nightfall for JIRA
      • Select Detection Rules in Nightfall for JIRA
      • Configuring Advanced Settings in Nightfall for JIRA
      • Configure Risk Score for Jira
      • Manage Jira Events
  • Nightfall for Microsoft 365
    • Getting Started
      • Microsoft 365 Requirements
      • Setting up Directory Sync
      • Setting up Microsoft Tenant
        • Update App Selection for a Registered Tenant
    • Nightfall for OneDrive
      • Configure Alerts for OneDrive
      • Nightfall Policies for OneDrive
        • OneDrive App Selection
        • Configure Scope for OneDrive
        • Configure Detection Rules for OneDrive
        • Configure Advanced Settings for OneDrive
        • Risk Score for OneDrive Policies
        • Manage OneDrive Events
    • Nightfall for Microsoft Teams
      • Configure Alerts for Microsoft Teams
      • Configure Policies for Microsoft Teams
        • Select Integration in Microsoft Teams
        • Configure Scope for Microsoft teams
          • Scope for Personal Chats
          • Scope for MS Teams Channels
        • Configure Detection Rules in Microsoft Teams DLP
        • Configure Advanced Settings in Microsoft Teams
        • Risk Score in Microsoft Teams Policies
        • Manage Microsoft Teams Events
  • Nightfall for Gmail
    • Overview
    • Install Nightfall DLP for Gmail
      • Configure Content Compliance Rules
        • Create Content Compliance Rule - Monitoring
        • Configure Content Compliance Rule - Quarantine
        • Configure Routing Rules - SMTP Relay Settings
    • Configure Alerts for Gmail
    • Nightfall Policies for Gmail
      • Gmail App Selection
      • Configure Scope for Gmail
      • Configure Detection Rules for Gmail
      • Configure Advanced Settings for Gmail
      • Configure Risk Score for Gmail
      • Manage Gmail Events
    • Remediation on Nightfall for Gmail
  • Nightfall For Salesforce
    • Overview
    • Getting Started
      • Install Nightfall DLP for Salesforce
      • Upgrade Nightfall DLP for Salesforce
      • Configure Alerts for Salesforce
    • Nightfall Policies for Salesforce
      • Salesforce App Selection
      • Configure Scope for Salesforce
      • Configure Detection Rules for Salesforce
      • Configure Advanced Settings for Salesforce
      • Risk Score for Salesforce
      • Manage Salesforce Events
    • FAQs
  • Nightfall for Zendesk
    • Getting Started
      • Requirements
      • Install Nightfall DLP for Zendesk
      • Configure Alerts for Zendesk
    • Configure Policies for Zendesk
      • Zendesk App Selection
      • Configure Scope for Zendesk
      • Configure Detection Rules for Zendesk DLP
      • Configure Advanced Settings in Zendesk
      • Risk Score for Zendesk
      • Manage Zendesk Events
  • Nightfall for Notion
    • Getting Started
      • Requirements
      • Steps
    • Install Nightfall for Notion
      • Verification of Notion Installation
    • Configure Alerts for Notion
    • Configure Policies for Notion
      • Notion App Selection
      • Configure Detection Rules for Notion
      • Configure Advanced Settings for Notion
      • Risk Score for Notion
      • Manage Notion Events
  • NIGHTFALL FOR Generative AI Applications
    • Overview
    • Install Nightfall for GenAI apps
      • Install Nightfall DLP on Individual Devices
      • Install Nightfall DLP Across Organization
    • Configure Alerts for GenAI apps
    • Creating GenAI Policies from Nightfall Console
      • AI Apps Selection
      • Configure Detection Rules for AI Apps
      • Configure Advanced Settings for AI Apps
      • Risk Score for AI Apps
    • Nightfall Browser Plugin Deployment Guide
    • GenAI Safe Usage and Data Protection Policy
  • Developer Section
    • Nightfall Firewall for AI
    • Nightfall Playground
  • Settings
    • Users and Roles
      • Authentication Options
    • Role Based Access Control (RBAC)
      • Security Analyst Role
      • Policy Manager Role
      • Security Events Manager Role
      • Security Operations Manager Role
      • System Administrator Role
    • Directory Sync
      • Add Microsoft Entra ID to Nightfall
      • Google Workspace Directory Service
      • Add Okta to Nightfall
    • Custom Branding
    • Customer Referral Program
  • Frequently Asked Questions (FAQs)
    • How long does it take to deploy Nightfall?
    • How do I deploy Nightfall?
    • What are some unique points about Nightfall that I should know?
    • Which languages does Nightfall support?
    • How does Nightfall yield time savings for my team?
    • Nightfall vs Legacy DLP: What's the difference?
    • How does Nightfall make my organization more secure?
    • Nightfall vs CASB: What's the difference?
    • Nightfall vs E-Discovery: What's the difference?
    • How does Nightfall classify data?
    • What types of data does Nightfall classify?
    • Does Nightfall scan unstructured data?
    • Does Nightfall require data to be already tagged?
    • How do I learn more about and test out Nightfall?
    • Using Service Accounts with Nightfall
    • Which permissions are required for each integration?
    • Where can I find active user counts for each SaaS application protected by Nightfall?
    • In the Atlassian Marketplace, why does it show that the Nightfall app is not approved in security?
    • How can I estimate the data volume that Nightfall needs to scan?
    • How can I check the Platform Status of Nightfall
  • Login to Nightfall
  • Contact Nightfall
Powered by GitBook
On this page
  • Configuring Outgoing Webhooks
  • Adding Headers for Webhooks
  • Nightfall Webhook Event Types
  • Webhook Payload Examples

Was this helpful?

Export as PDF
  1. Operationalizing Nightfall DLP
  2. Integrating with Security Tools

Integrating with SIEM

Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.

PreviousIntegrating with Security ToolsNextIntegrating with Microsoft Sentinel

Last updated 1 month ago

Was this helpful?

To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.

First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.

For LogRhythm integration, initialize the Webhook Beat by following these .

This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.

For Sumo Logic integration, configure an HTTP Logs and Metrics Source via the following .

This process will provide you with a URL endpoint (as seen in step 10). Copy this URL as you will use it to complete set up.

For a Splunk integration, configure an HTTP Event Collector within Splunk via the following .

This process will provide you with a URL endpoint (as seen in ). Copy this URL as you will use it to complete set up.

Authentication via HTTP Header

To authenticate to the HTTP Event Collector, you may add an Authorization as described in the Splunk documentation with your .

Note that the Authorization HTTP header for HEC requires the "Splunk" keyword before the HEC token.

Authentication via Query String

It is also possible to add your HEC Token as part of the query string of the Collector URL. This can be done for both Splunk Cloud as well as Enterprise.

If you are a Splunk Cloud customer, you will have to reach out to Splunk to enable the "allowQueryStringAuth" flag for your Splunk Cloud instance. This can be done by raising a Support Ticket with Splunk. This field can only be updated if on a Paid account. For a free/trial account, it will be unavailable.

For Splunk Enterprise, you will have to enable query string authentication for your instance, by following these steps:

Go to $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf file. Your tokens will appear by name in this file, in the form of http://<token_name>.

Within the stanza for each token you want to enable query string authentication, add or change the following setting:

allowQueryStringAuth = true

You can specify the HEC token as a query string in the URL that you specify in your queries to HEC. This can be done with the format shown below:

?token=<hec_token>

The following example shows a full Collector URL including a dummy HEC Token appended as a query string: (The example is for an Enterprise instance)

Note: We will be using the /services/collector/raw endpoint instead of the /services/collector/event endpoint. This is because of the JSON format that webhooks from Nightfall will carry, which will only be accepted with the raw version of the HTTP Event Collector endpoint. 

https://mysplunkserver.example.com:8088/services/collector/raw?token=12345678-1234-1234-1234-1234567890AB

For Splunk Cloud Customers:

For Splunk Cloud customers, the above example URL will look different including the public facing HEC URL. The endpoint (/services/collector/raw?token=12345678-1234-1234-1234-1234567890AB) should remain the same, however. Since you are on a Splunk Cloud instance, this URL should already be visible to the Nightfall console, and you would be able to start using this Webhook URL in the Nightfall console. Please continue with the steps after this section to complete webhook set up.

For Splunk Enterprise Customers:

For Splunk Enterprise customers, there are a few extra steps to have the Splunk Collector exposed to the Nightfall webhook console below.

The next step will be exposing the local host and port of the Splunk collector an HTTP Listening tool. This can be done by using an ngrok tunnel or nginx server, for example This is required so that the Enterprise Splunk instance is accessible to Nightfall's webhook from the console. Please make sure that port 8088 (this is the default port for receiving data for HEC) is accessible by navigating to "Global settings" in your Splunk Enterprise instance and enabling it.

./ngrok http https://localhost:8088

Once complete, the ngrok tunnel should show you an HTTPS Forwarding address, that can be used as the ngrok host in the following step. (HTTPS is required by Nightfall's webhook URL validation)

Your ngrok tunnel URL with your HEC auth token should now look something like this:

This will be your Webhook URL that you can use in the Nightfall console. Now you are all set to integrate alerts from your Nightfall webhook to your ngrok tunnel.

Configuring Outgoing Webhooks

Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).

Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.

  1. Select the Settings tab on the top.

  2. Click the Console Audit tab.

  3. Click + Webhook.

  4. Enter the URL to your webhook endpoint.

  5. You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.

Adding Headers for Webhooks

You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.

Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.

When you have completed configuring your Webhook URL and Headers, click the Save button.

Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.

Nightfall Webhook Event Types

When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.

Event Name
Event Description

exposure_update

resolution

violation

remediation

Webhook Payload Examples

The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).

{
  "detectionRulesLink": "https://app.nightfall.ai/detection-engine/detection-rules/",
  "detectionRulesViolated": [
{
  "eventType": "violation",
  "service": "Slack",
  "companyUUID": "0957cfbd-3e71-41e5-a2eb-691668fa5572",
  "fileName": "",
  "foundIn": "Public Channel",
  "who": {
    "username": "",
    "fullName": "aziz_demo",
    "email": "",
    "userID": "U038GT1SKFE"
  },
  "permalink": "https://yoourco.slack.com/archives/C038T5N5GM7/p1668033451531234",
  "violationLink": "https://app.nightfall.ai/violations/fa7c7a95-c46c-4c3d-ab78-2b63cccc1234",
  "violationTime": "2022-11-09T22:37:34.808263861Z",
  "integrationMetadata": {
    "workspaceName": "",
    "channel": "demo",
    "channelID": "C038T5N5GM7"
  },
  "findings": [
    {
      "detectionRule": {
        "uuid": "c983ff3b-a005-45da-b104-1522c0d9c712",
        "name": "HBI Internal Person & Project Names"
      },
      "policy": {
        "uuid": "3c55d347-34a8-4987-a077-b00e9d70649e",
        "name": "My Slack Policy"
      },
      "detector": {
        "uuid": "293bda1f-00e7-4ac2-b580-2c9512816140",
        "name": "V.I.P List"
      },
      "occurrences": [
        {
          "snippet": "ey Brian did you see Go********** in the building toda"
        }
      ],
      "detectionRuleLink": "https://app.nightfall.ai/detection-engine/detection-rules?selectedDetectionRules=c983ff3b-a005-45da-b104-1522c0d9c712",
      "policyLink": "https://app.nightfall.ai/slack/policies/3c55d347-34a8-4987-a077-b00e9d70649e"
    },
    {
      "detectionRule": {
        "uuid": "29d5f705-6954-4883-a903-3c960ebc3960",
        "name": "My Detection rule"
      },
      "policy": {
        "uuid": "accdb5a7-db06-4614-9495-cdeb74b305cb",
        "name": "My Policy"
      },
      "detector": {
        "uuid": "f480b42c-2724-4264-aa12-79044fa6b1c1",
        "name": "My Dictionary of secret entries"
      },
      "occurrences": [
        {
          "snippet": "ey Brian did you see Go********** in the building toda"
        }
      ],
      "detectionRuleLink": "https://app.nightfall.ai/detection-engine/detection-rules?selectedDetectionRules=29d5f705-6954-4883-a903-3c960ebc3960",
      "policyLink": "https://app.nightfall.ai/slack/policies/accdb5a7-db06-4614-9495-cdeb74b305cb"
    }
  ]
}
{
  "detectionRulesLink": "https://app.nightfall.ai/detection-engine/detection-rules",
  "detectionRulesViolated": [
    "dcc6dd2e-0177-4110-ab3d-0778cc1e76d2"
  ],
  "eventType": "violation",
  "message": "Policy Violation Detected",
  "policiesLink": "https://app.nightfall.ai/github/policies",
  "policiesViolated": [
    "8478f262-e54d-423d-b63f-a3e322329eaf"
  ],
  "service": "github",
  "timestamp": "2022-01-26T23:05:35Z",
  "violationId": "6d6639f0-6deb-4b81-ac89-59b4cf9448f4",
  "violationMetadata": {
    "authorEmail": "66931356+awanarslan@users.noreply.github.com",
    "branchName": "main",
    "commitRef": "11755af67b8ef514ce6f3ce13864cce69bbd2b24",
    "confidence": "Very Likely",
    "contentType": "commit",
    "detector": "US social security number (SSN)",
    "filePath": "traptext.txt",
    "lineRangeEnd": 18,
    "lineRangeStart": 18,
    "organizationName": "test-org-aawan",
    "repositoryName": "tst-secret-scan",
    "violationLink": "https://app.nightfall.ai/github/violations/6d6639f0-6deb-4b81-ac89-59b4cf9448f4"
  },
  "violationTime": "2022-01-26T23:05:34Z"
}
{
  "eventType": "violation",
  "service": "Google Drive",
  "companyUUID": "e64d1a72-5488-4f9f-bd8a-059c5e5e7ded",
  "fileName": "Payment tracking",
  "foundIn": "application/vnd.google-apps.document",
  "who": {
    "username": "user@useremail.com",
    "fullName": "",
    "email": "",
    "userID": ""
  },
  "permalink": "https://docs.google.com/document/d/1DSPOp6Xdpz4oguFjAQfdrhHqooC8ZpRxISQUanH1234/edit?usp=drivesdk",
  "violationLink": "https://app.nightfall.ai/violations/049e2ca1-86e8-4601-add1-6aed27701234",
  "violationTime": "2022-11-11T18:46:30.111325042Z",
  "integrationMetadata": {
    "fileOwner": "user@useremail.com",
    "linkSettings": "",
    "existingFindings": null,
    "sharedDriveLink": "https://docs.google.com/document/d/1DSPOp6Xdpz4oguFjAQfdrhHqooC8ZpRxISQUanH1234/edit?usp=drivesdk",
    "sharedDriveName": "",
    "sharedWith": ""
  },
  "findings": [
    {
      "detectionRule": {
        "uuid": "42efe36c-6479-412a-9049-fd8cdf895ced",
        "name": "my test detector rule"
      },
      "policy": {
        "uuid": "9bd2215f-2ab1-4c47-b464-fb401222eb91",
        "name": "Demo Policy"
      },
      "detector": {
        "uuid": "74c1815e-c0c3-4df5-8b1e-6cf98864a454",
        "name": "Credit card number"
      },
      "occurrences": [
        {
          "snippet": "******* credit card 35***************** has been charged"
        }
      ],
      "detectionRuleLink": "https://app.nightfall.ai/detection-engine/detection-rules?selectedDetectionRules=42efe36c-6479-412a-9049-fd8cdf81234",
      "policyLink": "https://app.nightfall.ai/google-drive-dlp/policies/9bd2215f-2ab1-4c47-b464-fb4012221234"
    }
  ]
}
{
  "eventType": "violation",
  "service": "Confluence",
  "companyUUID": "e64d1a72-5488-4f9f-bd8a-059c5e5e7ded",
  "fileName": "",
  "foundIn": "page",
  "who": {
    "username": "Max Rogers",
    "fullName": "Max Rogers",
    "email": "user@useremail.com",
    "userID": "5f965f1399b42e00697fef67"
  },
  "permalink": "https://myco.atlassian.net/wiki/spaces/ENGG/pages/163955/Brainstorming",
  "violationLink": "https://app.nightfall.ai/violations/b437fb40-df86-47e6-b318-26c8d3d61234",
  "violationTime": "2022-11-11T18:39:37.154475401Z",
  "integrationMetadata": {
    "contentName": "Brainstorming",
    "parentPageName": "",
    "authorID": "5f965f1399b42e00697fef67",
    "contentID": "163955"
  },
  "findings": [
    {
      "detectionRule": {
        "uuid": "42efe36c-6479-412a-9049-fd8cdf895ced",
        "name": "my test detector rule"
      },
      "policy": {
        "uuid": "6f82326e-0a22-4bce-a313-25b234474479",
        "name": "Engg Ravi"
      },
      "detector": {
        "uuid": "74c1815e-c0c3-4df5-8b1e-6cf98864a454",
        "name": "Credit card number"
      },
      "occurrences": [
        {
          "snippet": "edit card tracking - 35*****************\nCredit card tracking"
        },
        {
          "snippet": " to this credit card 35*****************\nBrainstorming method"
        },
        
      ],
      "detectionRuleLink": "https://app.nightfall.ai/detection-engine/detection-rules?selectedDetectionRules=42efe36c-6479-412a-9049-fd8cdf891234",
      "policyLink": "https://app.nightfall.ai/confluence/policies/6f82326e-0a22-4bce-a313-25b234471234"
    }
  ]
}

{
  "detectionRulesLink": "https://app.nightfall.ai/detection-engine/detection-rules?selectedDetectionRules=6a86a804-4aa6-41fe-a288-aea9a69b458d",
  "detectionRulesViolated": [
    "6a86a804-4aa6-41fe-a288-aea9a69b458d"
  ],
  "eventType": "violation",
  "message": "Violation detected in confluencedlp",
  "policiesLink": "https://app.nightfall.ai/?intendedRoute=confluence/?policyUUID%5B%5D=ff8bafb7-04ff-4abe-80e0-2bf930c019bf",
  "policiesViolated": [
    "ff8bafb7-04ff-4abe-80e0-2bf930c019bf"
  ],
  "service": "confluencedlp",
  "timestamp": "2022-07-08T14:40:27Z",
  "violationId": "f7e11270-8cf5-42ae-9893-6295661e4730",
  "violationMetadata": {
    "authorId": "62437f828678e9007059b679",
    "authorName": "My User",
    "contentId": "557057",
    "contentTitle": "Detection Testing",
    "contentType": "page",
    "findings": {
      "Credit card number": {
        "VERY_LIKELY": 1
      }
    },
    "permalink": "https://myco.atlassian.net/wiki/spaces/CC/pages/557057/Detection+Testing",
    "snippet": "card, the number is 67*****************. Could you take a lo",
    "workspace": "Myco Central"
  },
  "violationTime": "2022-07-08 14:40:23 +0000 UTC",
  "violationsLink": ""
}

{
  "eventType": "remediation",
  "message": "Re: ID 2ec0a7 - Successfully quarantined suspicious message posted by Tehreem Tungekar (tehreem) in #project.",
  "remediationMetadata": {
    "actionType": "quarantine",
    "actionUser": "tehreem",
    "remediationType": "manual"
  },
  "remediationTime": "2022-02-01 18:21:24.173819136 +0000 UTC",
  "service": "slack",
  "timestamp": "2022-02-01T18:22:25Z",
  "violationId": "2ec0a7"
}

{
  "eventType": "remediation",
  "message": "Made file restricted",
  "remediationMetadata": {
    "actionType": "restrict_file",
    "actionUser": "tehreem+sales_enterprise@nightfall.ai",
    "remediationType": "manual"
  },
  "remediationTime": "24 Jan 2022 at 11:54PM UTC",
  "service": "GDrive",
  "timestamp": "2022-01-24T23:54:11Z",
  "violationID": "TGMGNQ"
}

Once the flag is enabled, please use the following steps to query the HEC Token within the URL String. For more information on Query string authentication from Splunk, please reference the docs .

Steps for setting up a ngrok tunnel can be found . If using a ngrok tunnel, the following command would generate a ngrok tunnel listening to the correct port and protocol for the collector:

An alert that triggers if there are new findings or if findings have been removed from the .

An alert that triggers when the is resolved.

An alert that triggers when a new is created.

An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the .

The following are examples of a sample payload for remediations/actions that were taken on the above mentioned , that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).

here
here
https://<NGROK_HOST>/services/collector/raw?token=<YOUR_HEC_TOKEN>
Nightfall Events
Nightfall Event
Nightfall Event
Nightfall Event
Nightfall Event
instructions
instructions
instructions
this step
HTTP Event Collector token
http header