Data Security Posture Management

Trigger

Once you zero down the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as Posture change events. When these trigger actions are performed on the scoped entities, Nightfall considers it as a violation and a Posture Management Event is created.

Nightfall provides you two types of trigger actions that you can set as Posture change events.

  • Changes Share Settings: Attempt to modify Link sharing settings (ex. from restricted to public) of a single or multiple Google Drive asset.

  • Gives Access: Attempt to provide access to a single or multiple Google Drive assets.

Changing Share Settings

If an user changes the Sharing Settings of one or multiple assets, within a stipulated amount of time, it is considered to be a violation and a posture change event is created.

To use this Trigger action, you must select the Changes share settings option.

Once you select the Changes share settings option, you must select the Google share setting that must be used as a Trigger.

You must then select the number of assets and the timeline within which if the trigger action is implemented, Posture event must be raised.

For instance, in the following image if the Sharing setting of five Google Drive assets is modified to Public, within 1 hour, a Posture Event is created.

Gives Access

In this Trigger action, if an employee grants permissions to one or multiple assets within a short span of time, it is considered as a Violation by Nightfall and a Posture Management Event is created.

You must define the number of assets and the timeline. In the following image, if access is given to 5 or more assets within 1 hour, Nightfall considers it to be a Violation and triggers a Posture Event.

Add Filters

You can add filters to the Gives Access trigger action to trigger the action only when access is granted to users from a specific domain or exclude users belonging to a specific domain. The Filters section has two options.

  • Only Include: You can use this option to only monitor if users belonging to specific domains are given access. To add a domain, type the domain name (example abcd.com) and hit the enter key. This option also allows you to include personal email domains by clicking the Add free personal email domains check box.

  • Exclude: You can use this option to exclude monitoring of certain users who belong to a specific domain. To exclude a domain, type the domain name (example abcd.com) and hit the enter key. This reduces unwanted noise from sanctioned external collaboration. Note that you can also exclude monitoring of sharing with personal email accounts. This latter option is recommended if you already have an existing policy monitoring personal email (also recommended). This will ensure that your monitoring policies are mutually exclusive.

PreviousScopeNextAutomated Actions

Last updated