Getting Started with Detections

FullStory goes to great lengths to ensure you don't capture sensitive data in your account. In addition to providing customers with settings to prevent sensitive data from being captured, we also offer a way to detect sensitive PII in nearly real time.

Detections monitors for the presence of possibly-sensitive data and provides relevant sessions for further investigation. False-positives can be flagged to ignore. True-positives can be resolved by adding a new mask or exclusion rule. 

To get started with Detections, select it from the universal side bar on the left side of your screen.

How It Works

To make this feature possible, we’ve introduced a new event type: A Detection Event. FullStory monitors for the presence of any string that matches a predefined, Detection Rule pattern. These patterns will be generated anywhere that FullStory is capturing data in the DOM and are then gathered as Detection Events, or detections.

Detections includes two predefined Detection types to monitor for: Passwords and Payment Card Numbers. These events are then gathered automatically into the Detections Inbox for analysis.

Detections Inbox

1. Filter & Search - At the top of the page, you can use the Filter by, Event Date, and Search options to narrow down what populates your Detections Inbox. You can filter by Detection Type (Password or Payment Card) as well as Detection Source (Form Field or Text).
2. Resolution States - There are 5 different states that Detection Events can be in:
   • Awaiting Triage - The Detection Event is “new” and needs classification
   • Awaiting Fix - The Detention Event has been classified as sensitive data, but still requires a data capture rule to mask or exclude the sensitive data. 
   • Awaiting Cleanup - The sessions containing sensitive data need to be deleted.
   • Resolved - All sensitive data associated with the Detection Event has been removed from our servers and no further action is required
   • Ignored - The Detection Event has been ignored by you.
3. Detection Event Identifiers - There are 6 identifiers FullStory uses to help you identify what exactly your Detection Events are:
   • Type - Each Detection Event is either a Password or Payment Card, which follow the predefined patterns that are generated anywhere that FullStory is capturing data in the DOM.
   • Source - A Detection Event is either found in a Form Field or as Text. Form Field means a user has typed sensitive information into a dynamic field, and Text means sensitive information is present as a static element on a page. These events can also be found inside of element data attributes, which are typically not visible on screen.
   • Detail & Location - These help you triangulate the location of the event at a glance from this Inbox view (you can click into these events and watch the sessions directly to get more information, as we’ll cover later in this article).
   • Volume - How many times the Detection Event occurred. A Detection Event can occur multiple times within a single session, which is reflected in this number.
   • Last Seen - The last time the Detection Event was found. 

Clicking into an event

From the Detections Inbox, you can get more details on any Detection Events listed by clicking on it. This will take you to the Event Details page of that particular Detection Event. You can always return to the Detections Inbox page by following the breadcrumbs backwards on the top-left of the subsequent page.

The Event Details page is the primary place where you will analyze and resolve your Detection Events. From this page, you can watch sessions to see examples, as well as delete all sessions that contain this particular Detection Event. Let’s break down the page in more detail:

1. Detection Event Data - At the top of the page, you can see the history of the Detection Event’s occurrence based on the time range selected near the top-right. This time range is pulled through from the Detections Inbox page by default. You can also see the number of sessions within that time range that contain the event, as well as the actual number of times the event occurred. Remember that a single Detection Event can occur multiple times in a single session.
2. Affected Sessions - This is a list of every single session that contains the Detection Event. You can watch through a handful of sessions to determine what kind of action to take with the Detection Event, such as deleting the sessions, creating a data capture rule to prevent future capture, or ignoring the event entirely.
3. Resolve Detection Events - Click this button once you have determined what to do with the Detection Event. We will go into more detail on what your options are to resolve events later in the article.

Watching a Detection Event session

Clicking play for any session will start replay a few moments before the Detection Event was generated. You can select the Detection Event in the Event Stream in order to pause replay at the exact moment in question.

To avoid compounding the problem of unwanted PII, FullStory avoids reprinting the string in the Event Stream. To assist in finding the data in question, you can select the Detection Event from the event stream and playback will highlight the element in question with a pink border. However, in some cases Detection Events are triggered by attributes not visible on page. For these situations, admins can expand the Detection Event in the event stream to further investigate the CSS selector for any issues. 

Resolving Detection Events

After watching sessions, you should click “Resolve Detection Event” on the Event Details page to be guided on what to do with the detection. This will begin a flow that should direct you to one of three primary outcomes:

• Ignore this Detection Event.
• Save this Detection Event and the sessions that contain it for later review and action.
• Permanently delete the sessions that contain this Detection Event.

It’s important to note that in the case a Detection Event is true and needs deletion, you should immediately go to your Settings and create a data capture rule that prevents further capture of PII. Deleting sessions will only erase sessions with the Detection Event captured up until that point.