Links

Remediation Guide

Automated and Manual Remediation Features for Nightfall's Google Drive Integration
With Google Drive, your team may take direct action to remediation sensitive content, or may alert the end user to take remediation actions. This will depend on your organization’s needs and access settings for Google Drive.
Many organizations, at a minimum, remediate Google Drive violations by adjusting the link-sharing setting on the file. You may also delete the sensitive information from the file. Note that the version history will still contain the violation even after it is deleted from the current version. In order to completely remove sensitive information, we recommend that you delete the sensitive content, make a copy of the file, and then delete the original file.
For more information on the process for remediation in Nightfall for Google Drive, please reference the following article:

Manually restrict link and sharing settings from the alert

Upon receiving a violation alert, admin users can adjust permission (link and user) settings for the affected Google Drive file. Remediation options center around making link and sharing settings more restrictive, and include:
  • Notify the file owner (via Slack/Email)
  • Change link setting to restricted
  • Change link setting to “Anyone in the organization with the link”
  • Remove external users
  • Remove internal users
Note that available remediation options depend on the pre-existing link/sharing settings.
Once the remediation action is taken, a follow-up message will be sent to configured alert platforms for tracking purposes.

Notifying file owners:

  1. 1.
    Can notify via Slack (DM from Slackbot) or email.
  2. 2.
    For Slack, we’ll look for a Slack user with the same email address as the file owner.
  3. 3.
    We’re notifying the file owner, not the user who made the change. We aren’t able to do the latter because of limitations in GDrive’s API.
Example Notifications - Slack DM, Email
Example Notification in Slack
Example Notification in Email
Note: When notifying the file owner, directly after running a remediation action, you might run across an error that says the file is “already in the process of being remediated.”
This is normal, as the remediation takes a bit of time to run, between 30 seconds to 2 minutes. Once that action is complete, the user could then be notified and the action should run smoothly.

Automated Remediation

This update will also include automated remediation capabilities, so that you can pre-configure which remediation actions you would like to take automatically when a new policy violation is detected.
The features called out below can all be set as Automated Actions. You will be able to automatically:
  • Notify the file owner (via Slack/Email)
  • Change link setting to restricted
  • Change link setting to “Anyone in the organization with the link”
  • Remove external users
  • Remove internal users
  • Note that available remediation options depend on the pre-existing link/sharing settings.
Notes:
  • Authenticated Nightfall users can take remediation actions even if they don’t have access to the file within GDrive. (Unauthenticated users will not be able to take remediation actions).
  • The Nightfall user can download the affected file from the alert, in cases where they don’t have access to the file within GDrive. Download actions will be logged in configured alert platforms.