To install the Nightfall App for Google Drive, please follow the steps outlined below:
Navigate to the Nightfall Console, and select Google Drive -> Policies. You will see an intro screen and a button to get started. Click ‘Get Started’.
In order to connect the Google account to Nightfall, you must grant Nightfall Google Workspace API access with domain-wide delegation. In order to do this, you must be a Google administrator.
Follow the steps outlined on the page within the G Suite admin console to add the required OAuth scopes to the presented Client ID.
Once complete, please sign in with your Google Account on the bottom of the screen to connect the account.
In the Nightfall Console, navigate to Google Drive -> Policies
Select the option to add a new policy at the top right of the screen.
Name the policy
Set the scope of the policy The scope of the policy will be the where the monitoring is enforced on Google Drive, with this policy. You can choose to select this scope by Drives, or by Files. By default, All Drives will be selected, but you can unselect this and narrow down the Drives that you would like to be part of the scope. Similarly, you can also exclude certain files in the 'Exclude files' option below the list of drives. Please see this functionality in the screenshot below.
Select the detection rule that you would like to include with this policy. This will need to have been configured beforehand, as detection rules are independent of the policies they are attached with. Learn more about configuring detection rules here.
Set the desired permissions to alert upon in the rule.
The options chosen here will be the permissions setting that will trigger an alert.
For example, in the permissions section screenshot below, the options for “Anyone with the link” in the ‘Link Settings’ option, and “External users and groups” in the ‘Shared with’ option have been chosen.
This means that if any file has the shared permission set to ‘Anyone with the link’, an alert will be triggered, and will also be triggered if the file is shared to an ‘external user’ or group. The intention behind this specific policy is to trigger whenever a file is newly shared externally.
Similarly, thought should be put into the desired state of the policy, as to which permission settings are desired to be alerted upon.
Finally, in the Alerting section, select your desired alerting options for Google Drive:
Send alerts to a Slack channel
Send notifications via email
Send alerts to a Webhook endpoint
If these alerting options have yet to be set up, please refer to this article here.