Trigger

Once you zero down the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as Posture change events. When these trigger actions are performed on the scoped entities, Nightfall considers it as a violation and a Posture Management Event is created.

Nightfall provides you two types of trigger actions that you can set as Posture change events.

• Changes Share Settings: Attempt to modify Link sharing settings (ex. from restricted to public) of a single or multiple Google Drive asset.

• Gives Access: Attempt to provide access to a single or multiple Google Drive assets.

Changing Share Settings

If an user changes the Sharing Settings of one or multiple assets, within a stipulated amount of time, it is considered to be a violation and a posture change event is created.

To use this Trigger action, you must select the Changes share settings option.

Once you select the Changes share settings option, you must select the Google share setting that must be used as a Trigger.

You must then select the number of assets and the timeline within which if the trigger action is implemented, Posture event must be raised.

For instance, in the following image if the Sharing setting of five Google Drive assets is modified to Public, within 1 hour, a Posture Event is created.

Gives Access

In this Trigger action, if an employee grants permissions to one or multiple assets within a short span of time, it is considered as a Violation by Nightfall and a Posture Management Event is created.

You must define the number of assets and the timeline. In the following image, if access is given to 5 or more assets within 1 hour, Nightfall considers it to be a Violation and triggers a Posture Event.

Add Filters

You can add filters to scope the generation of violations events to when asset access is granted to specific users, user groups, or domains.

Conversely, you can also add filters to prevent the generation of violations events when asset access is granted to trusted users, user groups, and domains. This helps you to reduce the noise from trusted sources.

The filters section consist of the following filters.

• Internal Users

• External Users

• Internal Groups

• External Groups

• Domains

Internal Users

• Specific user(s): You must select this option to monitor file access granted to specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.

• All users, except for: You must select this option to exclude the monitoring of file access, granted to specific internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.

External Users

• Specific user(s): You must select this option to monitor file access granted to specific external users. Once you select this option, you must manually type the email ID of the user and press the enter key.

• All users, except for: You must select this option to exclude the monitoring of file access, granted to specific external users. Once you select this option, you must manually type the email ID of the user and press the enter key.

Internal Groups

• Specific group(s): You must select this option to monitor file access granted to specific internal groups. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required groups.

• All users, except for: You must select this option to exclude the monitoring of file access, granted to specific external users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required groups.

External Groups

• Specific Group(s): You must select this option to monitor file access granted to specific external groups. Once you select this option, you must manually type the email ID of the group and press the enter key.

• All Groups, except for: You must select this option to exclude the monitoring of file access, granted to specific external groups. Once you select this option, you must manually type the email ID of the group and press the enter key.

Domains

• Specific domain(s): You can use this option to only monitor if users belonging to specific domains are given access. To add a domain, type the domain name (example abcd.com) and hit the enter key. This option also allows you to include personal email domains by clicking the Add free personal email domains check box.

• All Domains, except for: You can use this option to exclude monitoring of certain users who belong to a specific domain. To exclude a domain, type the domain name (example abcd.com) and hit the enter key. This reduces unwanted noise from sanctioned external collaboration. Note that you can also exclude monitoring of sharing with personal email accounts. This latter option is recommended if you already have an existing policy monitoring personal email (also recommended). This will ensure that your monitoring policies are mutually exclusive.