Nightfall Documentation
  • Data Detection and Response
  • Posture Management
  • Data Exfiltration Prevention
  • Data Encryption
  • Firewall for AI
  • Data Classification and Discovery
  • Nightfall Exfiltration
  • What is Data Exfiltration
  • Nightfall Detection Platform
    • Nightfall Detection Platform
  • Exfiltration Prevention for Google Drive
    • Installing Nightfall for Google Drive
    • Configuring Integration Alerts
    • Configuring Google Drive Policies
      • Google Drive App Selection
      • Scope
      • Trigger
      • Automated Actions
      • Creating Policy
    • Remediation for Google Drive Exfiltration
  • Exfiltration Prevention for Endpoint
    • Endpoint Exfiltration Prevention
    • Install Nightfall AI Agent for MAC OS
      • Manual Installation
      • Nightfall Agent Deployment with Kandji MDM
      • Nightfall Agent Deployment with Rippling MDM
      • Nightfall Agent Deployment with JAMF MDM
    • Install Nightfall AI Agent for Windows OS
      • Manual Installation
      • Nightfall Windows Agent Deployment: Rippling MDM
      • Nightfall Windows Agent Deployment: Generic MSI Deployment
    • Configuring Integration Alerts
    • Configuring Policies
      • MAC/Windows App Selection
      • Scope
      • Trigger
      • Advanced Settings
        • Admin Alerting
        • Automated Actions
        • End-User Notifications
      • Creating Policy
      • Remediation for MAC OS Policies
      • FAQs
      • Remediation for Windows OS Policies
  • Exfiltration Prevention for Salesforce
    • Nightfall Exfiltration for Salesforce
    • Installing Nightfall Exfiltration for Salesforce
    • Upgrading Nightfall DLP
    • Configuring Integration Alerts
    • Configuring Salesforce Exfiltration Policies
      • Salesforce App Selection
      • Scope
      • Trigger
      • Advanced Settings
      • Creating Policy
      • Remediation for Salesforce Exfiltration
Powered by GitBook
On this page
  • Admin Notification and Remediation
  • End-User Notification and Remediation
  • Managing Events in Nightfall
  • Event List View
  • Event Detail View
  • Taking Actions on the Events Page

Was this helpful?

Export as PDF
  1. Exfiltration Prevention for Google Drive

Remediation for Google Drive Exfiltration

PreviousCreating PolicyNextEndpoint Exfiltration Prevention

Last updated 2 months ago

Was this helpful?

This document explains what admins and end-users can do once a policy is violated.

Admin Notification and Remediation

When end-users violate a policy, the Nightfall admin is notified about the incident. The notification channel used to notify the Nightfall admin depends on the settings configured in the section. If you have not enabled any notification channels in the Admin alerting section, Nightfall admins are not notified.

If you have enabled the email notification in the Admin alerts section, Nightfall admins receive an email. The email is as shown in the following image.

The Email consists of the following data.

  • Event: The event that caused the violation. For Google Drive, the event is always a download of assets.

  • Actor: The Email ID of the user who downloaded the file.

  • When: The date and time when the email was downloaded.

  • Where: The name of the file that was downloaded.

  • Policies Violated: The name of the policy that was violated.

  • Violation Dashboard: The link to the Events screen to view the violation in detail.

  • Actions: The list of actions that the Nightfall admin can take.

Also, a Slack message is sent if you have enabled the Slack alerts for the Nightfall admin. The Slack message looks as shown in the following image.

End-User Notification and Remediation

If you have configured the Email notification for end-users and enabled the end-user remediation, end-users can take remediation actions from the Email itself.

If you have configured Slack notifications for end-user and enabled end-user remediation, end-users can view the Slack message.

Managing Events in Nightfall

Nightfall admins can manage violations from within the Nightfall console. The Events page in Nightfall lists all the violations under the Exfiltration tab. End-users can get a detailed view of each exfiltration Event triggered.

To view violations in Nightfall navigate to the Exfiltration Prevention page from the left menu.

The Exfiltration Events page lists all the exfiltration events. To view events with specific statuses, you can click the respective tabs.

To view the past events, click the Time filter and select the required time period. By default, the time period displays Events for the Last 7 Days.

Event List View

The Event list view consists of the following columns.

Column Name
Description

Event type and asset(s)

The nature of the event (asset download) and the name of the asset that is either downloaded or uploaded.

Location

The location of the asset (Google Drive in this case)

When

Number of days/months since the event occured.

Actor

Policy

The name of the policy violated by the event.

Status

THe current status of the event.

Event Detail View

You can click an event to view the details. The detail view window consists of the following tabs.

  • Summary: The Summary tab displays highlights of the event like the name of the downloaded asset, the name of the violated policy, the email ID of the user who violated the policy, and so on.

  • Asset: The asset window displays the details of the asset and the history of the asset. You can also choose to view historic asset data. If there are multiple assets in a single violation, you can choose which asset's details must be displayed.

  • Actor: The actor tab displays the details and history of the user who downloaded the asset. You can choose to view historical data of the user. You can also add which can serve as metadata for the violation.

Taking Actions on the Events Page

The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on an exfiltration event.

The various available actions are explained as follows.

  • Acknowledge: This action can be taken when you just wish to acknowledge that you have viewed the violation.

  • Notify Email: This action sends an email notification to the end-user who caused the violation.

  • Notify Slack: This action sends a Slack notification to the end-user who caused the violation.

  • Suspend Account: This action suspends the account of the user who caused the violation.

  • Ignore: This action ignored the violation. You can take this action when an event is false positive.

  • Copy Link: This action is only available on the Asset detail view. You can copy the direct link to the Event with this action.

Once the action is implemented, the status of the event changes respectively. By default, an event can have one of the following two statuses.

  • Active: The event has been generated but no action has been taken.

  • Input Requested: A notification has been sent to the end-user requesting their response.

You can also take action from the event detail view page. The actions are available at the bottom of the detail view page.

End-users receive notifications and remediation actions if the Nightfall admin has enabled these settings. The notifications are based on the settings configured in the section. The end-user remediation actions are based on the settings configured in the section.

The email ID of the user who downloaded the asset. In some cases, you can also find the name of an app in brackets. This indicates that the app present in your Google Workspace downloaded the asset on behalf of the user. You can find more info in this .

Google document
Automation
End-User Remediation
Admin Alerting