Trigger

The Trigger section in Google Drive policies allows you to define the Scope of your monitoring and Actions, in this case a sharing setting change event, to monitor for. There are two primary sharings setting changes you can monitor for:

  • Attempt to add single or multiple external users (users who are not part of your organization) to Google Drive assets.

  • Attempt to modify Link sharing settings (ex. from restricted to public) of a single or multiple Google Drive asset.

Posture management monitoring can be scoped to:

  • Location: All or a specific set of drives

    • This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.

  • Detection rules: Any or a specific set of sensitive data protection detection rules

    • You can reuse any of detection rules you've already created or create new ones. This helps focus your detection to files containing specific sensitive content types as discovered and classified by your custom detectors or Nightfall's extensive library of ML/AI detectors. This can be set in combination to other scoping capabilities.

  • User or User Group (Actor): Any or a specific set of users or user groups

    • This allows you to create custom policies for specific high-risk individuals or user groups. As such you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.

  • Permissions: Public, Organization or Restricted

    • This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.

  • Event Frequency: # of changes over a period to time.

    • This allows you set custom thresholds in terms of number of changes over a specific period of time and can be useful to identify anomalous patterns for specific locations, users or content type. This can be set in combination to other scoping capabilities.

To configure Scope, you must select either the All drives or Specific drive(s) option in the Monitor field.

If you select All drives, all the Google drives (user drives and shared drives) in your organization are selected for monitoring. If you select Specific drive(s), a new drop-down menu appears. This menu lists all the Google drives in your organization. You can select specific drives, as required.

Configuring Filters

Once you select the required Google drives, you can add filters to monitor only those files that match your filter criteria. Nightfall provides you with three types of filters.

Detection Rules

You can use this filter to limit the scope to only those files in the selected Google drive containing sensitive data that matches specific detection rules. You can either choose all the detection rules created in your organization or match specific detection rules only.

Actor

Actors refer to either specific users or Google groups. You can choose which users or user groups' sharing settings change activity you'd like to monitor.

Permission

You can apply filters to restrict the scope to files with specific permissions.

Filter configurations are optional and are there to help you tailor your monitoring to your organization's risk profile. You can choose to either use any one, two, or all three filters or choose to not use any of the filters. The decision is purely based on your organization's requirements.

To configure Filter settings:

  1. To use Detection rules filter, select one of the following.

    • Any Detection Rule: This option will scope monitoring to files containing sensitive content that matches all sensitive data detection rules actively monitoring your Google Drive environment.

    • Specific rule(s): This option will scope monitoring to files containing sensitive content that matches the selected sensitive data detection rule(s). Once you select this option, a new drop-down menu appears. This drop-down menu allows you to select specific detection rules.

    If you do not wish to use the Detection rule filter, click Remove.

  1. To add an Actor filter, click + Add Filter and select Actor is.

  1. Select one of the following options.

    • Specific user(s): This option allows you to select users from your Google Workspace. The actions of only those users selected here are monitored for potential sharing posture change events. Once you select this option, a new drop-down menu appears. You can select the required user(s) from the drop-down menu.

    • Specific group(s): This option allows you to select groups from your Google Workspace. The actions of only those groups selected here are monitored for potential posture change events. Once you select this option, a new drop-down menu appears. You can select the required group(s) from the drop-down menu.

  1. To add a Permission filter, click + Add Filter and select Permission is.

  1. Select either Public, Restricted, or Organization.

The logical AND operator is applied between the Google drive and the filters, by default. You cannot modify this setting.

Configuring Actions

In the Actions section, you can define the type of sharing posture change you'd like to monitor. Nightfall provides the ability to monitor two posture altering action types. The two actions are explained as follows.

Changing Share Settings

If an user changes the Sharing settings of an asset, it can be termed as a posture change event. For instance, if a user modifies the sharing settings of five assets from Restricted to Public, within 1 hour, it can be considered an event worth investigating or remediating.

Adding External Users

External users are users who are not employees of your organization, defined by the Google Workspace domains. If an employee grants permissions to multiple assets to external users within a short span of time, it can be considered an event worth investigating or remediating.

PreviousIntegrationNextAutomated Actions

Last updated