Trigger

The Trigger section in Google Drive policies allows you to define the scope of your monitoring and actions, in this case a download event, to monitor for.

Download monitoring can be scoped to:

• Location: All or a specific set of drives

  • This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.

• Detection rules: Any or a specific set of sensitive data protection detection rules

  • You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files containing specific content types as discovered and classified by your custom detectors or Nightfall's extensive library of ML/AI detectors. This can be set in combination to other scoping capabilities.

• User or User Group (Actor): Any or a specific set of users or user groups

  • This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.

• Permissions: Public, Organization or Restricted

  • This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.

• Download Frequency: # of downloads over a period to time.

  • This allows you to set custom thresholds in terms of number of downloads over a specific period of time and can be useful to identify anomalous download patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.

To configure Scope, you must select either the All drives or Specific drive(s) option in the Monitor field.

If you select All drives, all the Google drives (user drives and shared drives) in your organization are selected for monitoring. If you select Specific drive(s), a new drop-down menu appears. This menu lists all the Google drives in your organization. You can select specific drives, as required.

Configuring Filters

Once you select the required Google drives, you can add filters to monitor only those files that match your filter criteria. Nightfall provides you with three types of filters.

Detection Rules

You can use this filter to limit the scope to only those files in the selected Google drive whose data matches specific detection rules. You can either choose all the detection rules created in your organization or match specific detection rules only.

Actor

Actors refer to either specific users or Google groups. You can choose which actor's actions must be considered as an exfiltration attempt.

Permission

You can apply filters to restrict the scope to files with specific permissions.

To configure Filter settings:

1. By default, the Detection rules filter is present. To use this filter, select one of the following.

   • Any Detection Rule: This option matches the selected Google Drive(s) with all the detection rules created in your Nightfall tenant.

   • Specific rule(s): This option matches the selected Google Drive(s) with only those detection rules that you select here. Once you select this option, a new drop-down menu appears. This drop-down menu allows you to select specific detection rules.

   If you do not wish to use the Detection rule filter, click Remove.

2. To add an Actor filter, click + Add Filter and select Actor is.

3. Select one of the following options.

   • Specific user(s): This option allows you to select users from your Google Workspace. The actions of only those users selected here are monitored for potential exfiltration attempts. Once you select this option, a new drop-down menu appears. You can select the required user(s) from the drop-down menu.

   • Specific group(s): This option allows you to select groups from your Google Workspace. The actions of only those groups selected here are monitored for potential exfiltration attempts. Once you select this option, a new drop-down menu appears. You can select the required group(s) from the drop-down menu.

4. To add a Permission filter, click + Add Filter and select Permission is.

5. Select either Public, Restricted, or Organization.

Configuring Actions

In the Actions section, you can define the download action that must be considered as a potential exfiltration attempt by Nightfall. Nightfall allows you to set the frequency of downloads as the action.

To configure Actions:

1. Click the first drop-down menu and select the number of asset downloads.

2. Click the second drop-down menu and select the time period.

Example Scenario

Acme Corp has created a Detection rule to detect Credit card data. This rule is called Credit Card. The credit card data is present in multiple files of Acme Corp. Acme Corp has set the permission of all files in which credit card data exists, as Organization (only Acme Corp employees can access). Acme Corp has an external Google group. The users in this group are external stakeholders who are not part of Acme Corp but have access to Acme Corp's Google Drive.

Acme Corp is concerned that any of the users from the external group should not be able to download files that have credit card info in them. They create an exfiltration policy as follows.

This Trigger rule monitors all the Google drives. If any user from the external group, tries to download a file, whose permission is set to Organization and whose content matches the Credit Card detection rule, it is considered an exfiltration attempt, provided it matches the download frequency which is set as follows.

If the external user downloads even a single file that has credit card data, it is considered an exfiltration attempt.