Who can use this feature?
- Available with Enterprise, Advanced, Business, and Free plans.
- Requires an admin role.
Fullstory goes to great lengths to ensure you don't capture sensitive data in your account. In addition to providing customers with settings to prevent sensitive data from being captured, we also offer a way to detect sensitive PII in nearly real-time.
Detections monitor for possibly sensitive data and provide relevant sessions for further investigation. False positives can be flagged to ignore. True positives can be resolved by adding a new mask or exclusion rule.
To get started with Detections, go to Tools and click Detections.
How It Works
Detections consist of Detection Events. Fullstory monitors for the presence of any string that matches a predefined Detection Rule pattern. These patterns will be generated anywhere that Fullstory is capturing data in the DOM and are then gathered as Detection Events or detections.
Detections include two predefined Detection types to monitor for: Passwords and Payment Card Numbers. These events are then gathered automatically into the Detections Inbox for analysis.
Detections Inbox
- Filter & Search - At the top of the page, you can use the Filter by, Event Date, and Search options to narrow down what populates your Detections Inbox. You can filter by Detection Type (Password or Payment Card) and Detection Source (Form Field or Text).
-
Resolution States - There are five different states that Detection Events can be in:
- Awaiting Triage - The Detection Event is “new” and needs classification
- Awaiting Fix - The Detention Event has been classified as sensitive data but still requires a data capture rule to mask or exclude the sensitive data.
- Awaiting Cleanup - The sessions containing sensitive data need to be deleted.
- Resolved - All sensitive data associated with the Detection Event has been removed from our servers, and no further action is required
- Ignored - You have ignored the Detection Event.
-
Detection Event Identifiers - There are six identifiers Fullstory uses to help you identify what exactly your Detection Events are:
- Type - Each Detection Event is either a Password or Payment Card, following predefined patterns generated anywhere Fullstory captures data in the DOM.
- Source - A Detection Event is either found in a Form Field or as Text. Form Field means a user has typed sensitive information into a dynamic field, and Text means sensitive information is present as a static element on a page. These events can also be found inside element data attributes, typically not visible on screen.
- Detail & Location - These help you triangulate the event's location at a glance from this Inbox view (you can click into these events and watch the sessions directly to get more information, as we’ll cover later in this article).
- Volume - How many times did the detection event occur? A Detection Event can occur multiple times within a single session, as reflected in this number.
- Last Seen - The last time the Detection Event was found.
Clicking into an event
From the Detections Inbox, you can get more details on any Detection Events listed by clicking on it. This will take you to the Event Details page of that particular Detection Event. You can always return to the Detections Inbox page by following the breadcrumbs backward on the top-left of the subsequent page.
You will analyze and resolve your Detection Events on the Event Details page. From this page, you can watch sessions to see examples and delete all sessions that contain this particular Detection Event. Let’s break down the page in more detail:
- Detection Event Data - At the top of the page, you can see the history of the Detection Event’s occurrence based on the time range selected near the top-right. This time range is pulled through from the Detections Inbox page by default. You can also see the number of sessions within that time range that contain the event and the actual number of times the event occurred. Remember that a single Detection Event can occur multiple times in a session.
- Affected Sessions - This lists every session containing the Detection Event. You can watch through a handful of sessions to determine what kind of action to take with the Detection Event, such as deleting the sessions, creating a data capture rule to prevent future capture, or ignoring the event entirely.
- Resolve Detection Events - Click this button once you have determined what to do with the Detection Event. We will go into more detail about your options to resolve events later in the article.
Watching a Detection Event session
Clicking play for any session will start to replay a few moments before the Detection Event is generated. You can select the Detection Event in the Event Stream to pause the replay at the exact moment in question.
To avoid compounding the problem of unwanted PII, Fullstory avoids reprinting the string in the Event Stream. To assist in finding the data in question, you can select the Detection Event from the event stream, and playback will highlight the element in question with a pink border. However, in some cases, Detection Events are triggered by attributes not visible on the page. For these situations, admins can expand the Detection Event in the event stream to investigate the CSS selector further for any issues.
Resolving Detection Events
Manual Resolution
After watching sessions, click “Resolve Detection Event” on the Event Details page to be guided on what to do with the detection. This will begin a flow that should direct you to one of three primary outcomes:
- Ignore this Detection Event.
- Save this Detection Event and the sessions that contain it for later review and action.
- Permanently delete the sessions that contain this Detection Event.
It’s important to note that if a Detection Event is true and needs deletion, you should immediately go to your Settings and create a data capture rule preventing further PII capture. Deleting sessions will only erase sessions with the Detection Event captured until then.
Automatic Resolution
Detection Events will be resolved automatically if you delete the sessions where the events occurred. This can happen if:
- You manually deleted sessions where detection events occurred.
- You contacted Fullstory to perform a bulk deletion or redaction for sessions where detection events occurred.
- Sessions where detection events occurred are deleted automatically when they age out of your account's replay retention period.