Scope
Last updated
Last updated
When there is a high volume of exfiltration (basically download) in your organization, the scoping capability enables you to reduce the noise from low risk events so that you can zero in on genuine exfiltration events and resolve them.
Exfiltration (Download monitoring) can be scoped to:
Location: All or a specific set of drives
This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.
User or User Group (Actor): Any or a specific set of users or user groups
This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.
Permissions: Public, Organization or Restricted
This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.
Detection rules: Any or a specific set of sensitive data protection detection rules
You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files which have associated sensitive data violations identified by your sensitive data scanning product. This can be set in combination to other scoping capabilities.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select the different types of drives to be monitored.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Drive selection section allows you to select the whole drive to be monitored, this section provides you more granular level filters. You can select specific files within the selected drives for monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared Drives to be monitored by Nightfall for exfiltration.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has granted access. User Drive is commonly known as My Drive in Google Drive. To monitor a User Drive, you must select the User drives check box as shown in the following image.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your Workspace. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared Drives, you can select whether to monitor all the Shared drives or only specific shared drives. Nightfall provides the following options.
If you select the All Drives option, all the Shared drives in your Google Workspace are selected for monitoring.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
The following image displays the scenarios when you select the Shared Drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section, irrespective of whether you selected Shared Drive, User Drive, or specific User Drives, you ended up selecting one or a set of Drives for monitoring.
Once you select the Drives to monitor, in this section, you can overlay additional filters to further scope your monitoring. Nightfall provides the following additional filters:
Monitor specific: Choose this option to monitor one or a specific set of internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: Choose this option to exclude specific individuals from your monitoring policy. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
If you have not configured the Directory Sync feature, the users list is populated from the Google Drive integration setup. As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership. For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Monitor Specific: Choose this option to monitor one or a specific set of external users. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor all, except: Choose this option to exclude specific external users, from being monitored. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor specific: Choose this option to monitor one specific or a set of internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select at least one group.
Monitor all, except: Choose this option to exclude one specific, or a set of, internal groups from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Monitor specific: Choose this option if you have external user groups defined in your IdP and would like to monitor one specific or a set of external groups. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Monitor all, except: Choose this option if you have external user groups defined in your IdP and would like to exclude one or more external groups from being monitored. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Before understanding the Permission filters, we must understand Google's General Access feature.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users who have been granted access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this Google document to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
Nightfall also provides inclusion and exclusion of files in policy scope that resembles the General Access sharing principle in Google Workspace. The Nightfall General Access permission options are as follows.
Restricted: Choose this option to scope monitoring to files with restricted access.
Shared with target audiences: Choose this option to scope monitoring to files shared with target audiences within your Google Workspace environment.
Anyone with the link: Choose this option to scope monitoring to files shared with anyone with a link.
The Nightfall Detection Rules consist of a single or multiple detectors. You can use this filter to either include all the detection rules or include only specific detection rules. Note that upon a download event, Nightfall will check if the downloaded file has been previously scanned, and results matched at least one of the selected detection rules (i.e. The file is not rescanned upon download).
All: If you select this option, all the detection rules are included.
Monitor Specific: If you select this option, you must also select the required detection rules. Nightfall scans your files only for the selected detection rules.