Nightfall helps organizations secure historical data in Google Drive through comprehensive DLP audits. The platform offers two audit types to enhance your data security posture:

1. Posture Management: Focuses exclusively on file permissions, identifying files with risky sharing configurations like external user access or public sharing.

2. Posture Management & Data Discovery: Provides complete protection by examining both file permissions and content for sensitive information like PII, PCI, PHI, secrets and credentials.

Key Functionality

• Customizable Scope: Select specific drives, date ranges, and permission settings to target your audit.

• Automated Remediation: Configure actions that trigger automatically when violations are reported.

• Comprehensive Scanning and Visibility: Examines over 150+ file types using AI-powered detection. Review violations in the console and metrics such as total data scanned, highest risk users, assets and more.

Prerequisites

You must ensure that the Google Drive integration is installed in your Nightfall tenant. To learn more about how to install the Google Drive integration, refer to this .

The process of creating an Audit for the Google Drive integration involves the below steps.

Creating Policy

The process of creating a Nightfall audit consists of five key stages:

A Nightfall Audit enables you to assess your organization's security posture and safeguard sensitive data. By identifying and addressing security vulnerabilities, Nightfall audits help prevent data leaks and ensure compliance with standards such as HIPAA, PCI DSS, and more. They also allow for a thorough evaluation of security policies within your organization.

Unlike real-time scanning, Nightfall audits focus on historic data scans, allowing you to examine stored data across various cloud environments. You can define a historical date range and apply filters to customize the scope, ensuring precise and efficient data analysis.

Upon completion, Nightfall generates a detailed report, highlighting security issues and sensitive data exposure. This enables organizations to take appropriate corrective actions.

Creating a Nightfall Audit

The process of creating a Nightfall audit consists of five key stages:

Choose the Nightfall integration you want to audit:

1. Navigate to Discovery and Classification.

2. Click + New Audit in the top-right corner.

3. Select the Google Drive integration.

4. Select one of the following options.

   • Posture Settings to scan only for file sharing permissions of each file in Google Drive.

   • Posture Settings and Data Discovery to scan both file permissions and presence of sensitive data.

In the final stage, you must provide a name to the audit. The results of the audit also have the same name as mentioned here.

1. Enter a name and click Next.

2. You can review the settings configured. To edit any setting, click Back.

3. If all the settings are configured accurately, click Submit.

The Scope section allows you to select the historic period that needs to be audited. The historic period allows you to scan all the files which were either created or modified during the selected period. The time period can stretch to a maximum of 6 months.

Once you select the time period, you must select the Salesforce Org on which you wish to perform the audit. To select a Salesforce Org, you must click the + Add Org button. If you have configured a single tenant, the configured tenant is selected automatically.

After selecting the required tenant, you must select which Salesforce elements from the selected tenant must be audited. You can either choose to audit the Salesforce Objects, Files, or both.

Choose the Nightfall integration you want to audit:

1. Navigate to Discovery and Classification.

2. Click + New Audit in the top-right corner.

3. Select the Salesforce integration.

Choose the Nightfall integration you want to audit:

1. Navigate to Discovery and Classification.

2. Click + New Audit in the top-right corner.

3. Select the OneDrive integration.

In this section, you can choose the detection rules that will be used to audit sensitive data. If any data selected in the Scope section violates one of the detection rules here, it is considered to contain sensitive data. To select a detection rule, simply check the corresponding box. You can use the search bar to find specific detection rules. At least one detection rule must be selected.

This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. All the automated actions are permanent and cannot be reversed once applied. You can also use the delayed remediation feature to set the timeline as to when an action must be taken. You can either choose to apply the automated action immediately after detecting a violation or after some time.

The various automated actions are described as follows.

Remove all external users and groups: This action revokes the file access in which sensitive data was found. All external users and groups will no longer have access to the file. You must also configure the delayed remediation feature by selecting an option in the Trigger action field. You can either choose to apply the action You can either select the Immediately option to apply the automated action immediately after detecting a violation or select the After option to implement the automated action after a certain time delay. If you select the After option, you must also set the delay time. The automated action is implemented once the delay time is elapsed.

• Remove all internal users and groups: This action revokes the file access in which sensitive data was found. All internal users and groups will no longer have access to the file.

• Restricted: This action restricts the file access only to those users who have the link to access it

• Disable Download, Print, and Copy: This action disables downloading, printing, or copying the file in which sensitive data was found. This action is only applicable to users with the View and Comment permission. File owners can always download and copy the file.

The automated actions are not applicable in a few scenarios. To learn more about these scenarios, you can refer to .

This document explains the process of creating audits in Nightfall for the GitHub integration. A GitHub audit helps you analyze your historic GitHub data for the presence of sensitive content.

Use Cases for GitHub Audit: Hardcoded Secrets in GitHub Code

Modern applications store vast amounts of code in GitHub repositories, making manual scanning for sensitive data impractical. Nightfall audits can efficiently scan billions of bytes of code within minutes, quickly identifying hardcoded secrets such as passwords, API keys, and other sensitive credentials.

Prerequisites

You must ensure that the GitHub integration is installed in your Nightfall tenant. To learn more about how to install the GitHub integration, refer to this .

The process of creating an Audit for the GitHub integration involves the configuration of following settings.

This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. The automated action is permanent and cannot be reversed once applied. You can also use the delayed remediation feature to set the timeline as to when an action must be taken. You can either choose to apply the automated action immediately after detecting a violation or after some time.

The various automated actions are described as follows.

• Delete: This action deletes any attachments or field data in the Salesforce that contains sensitive information. You can turn on the toggle switch to enable this action. You must also select the timeline as to when this action must be taken after a policy violation is detected.

Note: How Delete Action Works for Files in Nightfall DLP for Salesforce

When you create a new Salesforce file it is considered to be the first version of the file. Every time you edit the file, Salesforce creates a new version of the file that has the latest changes. All the previous versions of the file are also stored by Salesforce. When Nightfall detects sensitive data in a file, Nightfall overwrites the file and uploads a text file that contains a message on why your file was replaced by the text file. You can contact your Salesforce admin to provide you with the previous version of the file that contains sensitive data.

In the final stage, you must provide a name to the audit. The results of the audit also have the same name as mentioned here.

1. Enter a name and click Next.

2. You can review the settings configured. To edit any setting, click Back.

3. If all the settings are configured accurately, click Submit.

1. Click Discovery and Classification.

2. Click + New Audit in the top right corner.

3. Select the GitHub integration.

In this section, you can choose the detection rules that will be used to audit sensitive data. If any data selected in the Scope section violates one of the detection rules here, it is considered to contain sensitive data. To select a detection rule, simply check the corresponding box. You can use the search bar to find specific detection rules. At least one detection rule must be selected.

This section is not applicable if you have chosen to audit only the posture settings. In this section, you can choose the detection rules that will be used to audit sensitive data. If any data selected in the Scope section violates one of the detection rules here, it is considered to contain sensitive data. To select a detection rule, simply check the corresponding box. You can use the search bar to find specific detection rules. At least one detection rule must be selected.

In this section, you can choose the detection rules that will be used to audit sensitive data. If any data selected in the Scope section violates one of the detection rules here, it is considered to contain sensitive data. To select a detection rule, simply check the corresponding box. You can use the search bar to find specific detection rules. At least one detection rule must be selected.

The Scope section allows you to select the historic period that needs to be audited. The historic period allows you to scan all the files which were either created or modified during the selected period. The time period can stretch to a maximum of 6 months.

Once you select the scope, you must select the nature of Google Drive files to be included or excluded from the scan. You can choose to scan either the User drives or Shared drives. The detailed description on how to select the drive can be found in this document. Additionally, you can also select files based on their sharing settings. The detailed explanation on how to configure these settings can be found in this document.

Once you select the files, you can apply filters on the selected files. The filters section provides you the flexibility to include and exclude users at a granular level. Nightfall supports four types of filters. The following bullet points hyperlink to the detailed description of each of the four filters.

• Internal Users

Once the Nightfall audit is started, it is placed in the queue for scanning, with the status displayed as Queued. Once the scan begins, the status changes to Scanning. After the audit is completed, the status is updated to Completed. To stop an audit, click the ellipsis menu and select Stop.

To view the results of a specific audit, click the ellipsis menu for the desired audit and select View Results. This option displays the results of only the selected audit.

To view the results of all the audits, navigate to the Results tab. On the Results tab, you can apply filters to view the results of desired audits or directly select an audit from the drop-down menu.

Nightfall helps organizations secure historical data in OneDrive through comprehensive DLP audits.

Key Functionality

• Customizable Scope: Select specific drives, date ranges, and permission settings to target your audit

In the final stage, you must provide a name to the audit. The results of the audit also have the same name as mentioned here.

1. Enter a name and click Next.

2. You can review the settings configured. To edit any setting, click Back.

3. If all the settings are configured accurately, click Submit.

This section describes the various actions that Nightfall takes automatically when a violation is detected. You must turn on the toggle switch to enable an action. The automated action is permanent and cannot be reversed once applied. You can also use the delayed remediation feature to set the timeline as to when an action must be taken. You can either choose to apply the automated action immediately after detecting a violation or after some time.

The various automated actions are described as follows.

Delete Document: This action deletes the file that contains sensitive data. You cannot revert this action once it is applied automatically. You must also configure this automated action after a certain time period has elapsed. The delayed remediation feature allows you to set a time period. The automated action is applied only after the set time period has elapsed. Alternatively, you can also choose to apply the action immediately.

In the final stage, you must provide a name to the audit. The results of the audit also have the same name as mentioned here.

1. Enter a name and click Next.

2. You can review the settings configured. To edit any setting, click Back.

3. If all the settings are configured accurately, click Submit.

Once the Nightfall audit is started, it is placed in the queue for scanning, with the status displayed as Queued. Once the scan begins, the status changes to Scanning. After the audit is completed, the status is updated to Completed. To stop an audit, click the ellipsis menu and select Stop.

To view the results of a specific audit, click the ellipsis menu for the desired audit and select View Results. This option displays the results of only the selected audit.

To view the results of all the audits, navigate to the Results tab. On the Results tab, you can apply filters to view the results of desired audits or directly select an audit from the drop-down menu.

Understanding Audit Event Content

The scan results display the following columns.

When you click a file, the following details are displayed.

• Integration: The name of the integration (Salesforce).

• Document Type: The type of the document in which sensitive data was found (text, audio, video)

• Account Type: The nature of the Salesforce tenant (production, sandbox).

• Location: The Salesforce object where a record with sensitive data is found.

The following details related to sensitive data found in the file, are displayed.

• Detector: The name of the detector that was violated.

• Text Before: The text that appears before the sensitive data.

• Finding: The sensitive data found in the document with of the finding.

• Text After: The text that appears before the sensitive data (if present).

Nightfall helps organizations secure historical data in Salesforce through comprehensive DLP audits.

Key Functionality

• Customizable Scope: Select specific drives, date ranges, and permission settings to target your audit

• Automated Remediation: Configure action that triggers automatically when violations are reported

• Comprehensive Scanning and Visibility: Examines more than 150 file types using AI-powered detection. Review violations in the console and provide metrics such as total data scanned, highest risk users, assets and more.

Prerequisites

You must ensure that the Salesforce integration is installed in your Nightfall tenant. To learn more about how to install the Salesforce integration, refer to this .

The process of creating an Audit for the Salesforce integration involves the below steps.

Creating Policy

The process of creating a Nightfall audit consists of five key stages:

The Scope section allows you to select the historic period that needs to be audited. You can also select the GitHub org and repositories to be audited. Once you select the org and repositories, Nightfall provides you a greater level of granularity with filters. You can apply filters within the selected repositories to exclude files with specific extensions and files which belong to a specific directory.

To configure the Scope section:

1. Select the historic time period to be audited.

2. Click + Add Org and select the GitHub org to be audited.

1. In the Select Repositories field, select one of the following options.

• All Repos: This option selects all the repositories for audit.

• Specific Repos: This option allows you to select specific repositories to be audited. You can select the repositories by creating a regular expressions pattern. You can refer to to learn more about regular expression syntax in GitHub. The options available to create regular expressions are as follows.

  • Starts With: This option allows you to create a pattern that matches repositories starting with specific letters, numbers, or characters.

• All Repos, But Exclude: This option allows you to exclude repositories from audit. You can select the repositories by creating a regular expression pattern. The options to create a regular expression pattern remain the same as in case of the previous option (Starts with, Ends With, and Contains).

1. In the Select Branches field, select one of the following options.

   • All Branches: This option selects all the branches of the selected repositories for auditing.

   • Default Branches: This option selects all the default branches of the selected repositories for auditing.

   • Specific branches

Examples of Regular Expressions

This section provides examples to create regular expressions. You can test your regular expression from this .

• To match the word development, use the following pattern with the Contains option.

• To match a word that starts with a, use the following pattern with the Starts With option.

• To match a word that ends with s, use the following pattern with the Ends With option.

• To match a word that contains the word sandbox, use the following pattern with the Contains option.

Configuring Filters

The Filters section provides higher levels of granularity in performing the audit. Once you select the GitHub org, repository, and branches to be audited, you can apply filters to exclude files with specific extensions and files that belong to a specific directory, from being audited.

• File Extension Exclusion: Select the file extension(s). All the files with the selected extension are excluded from the audit scope.

• Directory Exclusion: Enter a regular expression pattern to match a directory and file path. All file directories and file paths that match the pattern are excluded from the audit scope.

The Scope section allows you to select the historic period that needs to be audited. The historic period allows you to scan all the files which were either created or modified during the selected period. The time period can stretch to a maximum of 6 months.

Once you select the time period, you must select the Microsoft Tenant (if you have configured multiple tenants), drives within the tenant, and folder types to be audited. You can learn about these configurations from the Nightfall for Microsoft OneDrive Scope configuration document, for Data detection and response.

Once the Nightfall audit is started, it is placed in the queue for scanning, with the status displayed as Queued. Once the scan begins, the status changes to Scanning. After the audit is completed, the status is updated to Completed. To stop an audit, click the ellipsis menu and select Stop.

To view the results of a specific audit, click the ellipsis menu for the desired audit and select View Results. This option displays the results of only the selected audit.

To view the results of all the audits, navigate to the Results tab. On the Results tab, you can apply filters to view the results of desired audits or directly select a OneDrive audit from the drop-down menu.

Understanding Audit Event Content

The scan results display the following columns.

When you click a file, the following details are displayed.

• Tenant ID: The unique identifier for your organization’s M365 environment.

• Tenant Registration ID: The registration ID of the M365 tenant.

• Item Name: The name of the file containing sensitive data.

• Item ID: The M365 ID of the file containing sensitive data.

The following details related to sensitive data are displayed.

• Detector: The name of the detector that was violated.

• Text Before: The text that appears before the sensitive data.

• Finding: The sensitive data found in the document with of the finding.

• Text After: The text that appears before the sensitive data (if present).