Triggering Scans

Triggering your first Historical Scan

In the Nightfall Console, navigate to Google Drive -> Policies
You will see an option for Historical Scans, on the top right of the page:
  • Please select this option, and you will be directed to your center for Historical Scans
To trigger a scan, please select the New Scan option on the top right, illustrated below:
  • Set the scope of the scan The scope of the scan will be the where the monitoring is enforced on Google Drive, with this policy. You can choose to select this scope by Drives, or by Files. By default, All Drives will be selected, but you can unselect this and narrow down the Drives that you would like to be part of the scope. Similarly, you can also exclude certain files in the 'Exclude files' option below the list of drives. Please see this functionality in the screenshot below.
Sample Scope from a Test Drive Account
  • Select the detection rule that you would like to include with this scan. This will need to have been configured beforehand, as detection rules are independent of the scans they are attached with. Learn more about configuring detection rules here.
  • Set the desired permissions to alert upon in the rule.
The options chosen here will be the permissions setting that will trigger an alert.
For example, in the permissions section screenshot below, the options for “Anyone with the link” in the ‘Link Settings’ option, and “External users and groups” in the ‘Shared with’ option have been chosen.
This means that if any file has the shared permission set to ‘Anyone with the link’, an alert will be triggered, and will also be triggered if the file is shared to an ‘external user’ or group. The intention behind this specific scan is to trigger whenever a file was found to be newly shared externally.
Similarly, thought should be put into the desired state of the scan, as to which permission settings are desired to be alerted upon.
The next step is to decide how findings should be shown in the scan results. You can choose to include the sensitive finding in the scan, either fully unredacted or partially redacted, or not included at all. Similarly, you can also choose to include characters before and after the finding, so as to help understand the context of the finding. Our recommendation is to include the sensitive finding, partially redacted, so that you are not fully showing sensitive data, but are now also able to determine whether it is a true finding or a false positive.
Lastly, we must set the date range for which we would like this scan to run on. The scan will only then pull files that have had recorded changes occur within the date range specified here. This can be set either to 'All history' or to a specific date range. If you have selected 'All history', we would recommend to ensure that you have increased the minimum confidence level of the detectors in your Detection Rule, to at least Likely. This is because the amount of data scanned will be much higher, and to help ensure a better experience when working through the findings.
You are now ready to start the scan. To start the scan, please select the Start option as shown below:
Copy link