Nightfall for GDrive - Remediation
Automated and Manual Remediation Features Added for GDrive Integration
GA date: 9/24 - GDrive Remediation is now in GA!
Nightfall is adding remediation actions to violation alerts for GDrive, so you can fix the issue with a click.

Manually restrict link and sharing settings from the alert

Upon receiving a violation alert, admin users can adjust permission (link and user) settings for the affected GDrive file. Remediation options center around making link and sharing settings more restrictive, and include:
  • Notify the file owner (via Slack/Email)
  • Change link setting to restricted
  • Change link setting to “Anyone in the organization with the link”
  • Remove external users
  • Remove internal users
Note that available remediation options depend on the pre-existing link/sharing settings.
Once the remediation action is taken, a follow-up message will be sent to configured alert platforms for tracking purposes.

Notifying file owners:

  1. 1.
    Can notify via Slack (DM from Slackbot) or email.
  2. 2.
    For Slack, we’ll look for a Slack user with the same email address as the file owner.
  3. 3.
    We’re notifying the file owner, not the user who made the change. We aren’t able to do the latter because of limitations in GDrive’s API.
Example Notifications - Slack DM, Email
Example Notification in Slack
Example Notification in Email
Note: When notifying the file owner, directly after running a remediation action, you might run across an error that says the file is “already in the process of being remediated.”
This is normal, as the remediation takes a bit of time to run, between 30 seconds to 2 minutes. Once that action is complete, the user could then be notified and the action should run smoothly.

Automated Remediation

This update will also include automated remediation capabilities, so that you can pre-configure which remediation actions you would like to take automatically when a new policy violation is detected.
The features called out below can all be set as Automated Actions. You will be able to automatically:
  • Notify the file owner (via Slack/Email)
  • Change link setting to restricted
  • Change link setting to “Anyone in the organization with the link”
  • Remove external users
  • Remove internal users
  • Note that available remediation options depend on the pre-existing link/sharing settings.
Notes:
  • Authenticated Nightfall users can take remediation actions even if they don’t have access to the file within GDrive. (Unauthenticated users will not be able to take remediation actions).
  • The Nightfall user can download the affected file from the alert, in cases where they don’t have access to the file within GDrive. Download actions will be logged in configured alert platforms.