The Posture Management events page displays all the posture management events. An event is triggered when a posture management policy is violated. To learn more about configuring posture management policies, refer to the Creating Policies for Posture Management document.
Important
An posture management event is generated only when both of the following conditions are met.
Nightfall admin creates one or more posture management policies.
An end-user (who matches the scope for at least one of the policies) performs an action that violates the posture management policy.
To view violations in Nightfall, navigate to Posture Management from the left menu.
The Posture Events page lists all the posture events. To view events with specific statuses, you can click the respective tabs.
To view historic events, click the Time filter and select the required time period.
The list view consists of a table that contains the following columns.
This column displays the type of posture event (Added external user or Changed share settings), and the name of the asset(s) on which the posture change was implemented.
This column displays the icon of the integration on which the Event occured (in the above image, its Google Drive).
This column displays the timeline whrn the Event occured.
This column displays the email ID of the user whose actions triggered the Event.
This column displays the name of the Policy that was violated.
This column displays the current status of the Event.
This menu allows you to take actions on the Event.
The event entries are different for the two kinds of Trigger actions ; Adding external users recorded and Changing the sharing settings. You can identify a violation type by viewing its name.
You can click an event to view the details. The header of the event displays the type of violation. The detail view window is as follows.
You can navigate to the detail view of an Event by clicking the Event. The detail view window consists of the following tabs.
The Summary tab consists of the following details.
Assets: The name of the asset on which the posture change event occured.
Policy: The name of the policy violated.
Actor: The Email ID of the user who violated the policy.
The Data Security Posture Management page also contains Log section and Comments section.
Event logs - The event logs section contains a log of activities performed on the Event. By default, the first log activity recorded is the Event creation activity. The next set of activities generally provide information about Event notifications sent via various notification channels and actions taken on the Event.
Comments - The comments section allows you to enter comments on the Event. The maximum character limit for the comment is 300.
The Asset tab contains the details of the asset in which the Data Security Posture Event was triggered. If there are multiple assets that triggered an Event, you can switch between assets to view the details of each asset. When there are multiple assets responsible to trigger an Event, a drop-down menu appears. You can click the drop-down menu and choose an asset. Additionally, when there are multiple assets, the Assets tab displays a number in brackets. This number indicates the number of assets that triggered the Event.
The asset tab displays the following details.
Name: The name and a hyperlink to the asset.
Location: The location of the asset.
Drive: The nature of the Google Drive that holds the asset (personal drive, shared drive).
Permission: The sharing permission that is applied on the asset (Restricted, Within the Organization, or Anyone in the Internet)
Shared With: The number of internal and external users with whom the asset has been shared.
Created At: The date and time when the asset was created.
Size: The total size of the asset.
Owner: The Email-ID of the asset owner.
The Asset tab contains an Asset history section. This section displays the details of assets like change in permission of asset and the edits made to the asset. You can apply filters to view asset history for a specific time period.
Actor: The actor refers to the user who edited the file that triggered the Event. This tab displays the details and history of the user who downloaded the asset. You can choose to view historical data of the user. You can also add details which can serve as metadata for the Event.
The Actor history section displays details of the actor like the files edited by the actor, viewed by the actor, and shared by the actor. You can apply filters to view Aactor history for a specific time period.
The events list view displays an ellipsis menu at the extreme right corner. Admins can click this menu to take appropriate action on a Posture change Event.
The Event detail view also displays list of actions that an admin can take. These actions are present at the bottom the detail view page.
The various available actions are explained as follows.
Acknowledge: This action can be taken when you wish to acknowledge that you have viewed the Event.
Notify Email: This action sends an email notification to the end-user who caused the Event.
Notify Slack: This action sends a Slack notification to the end-user who caused the Event.
Change Link Settings: This action allows you to modify the sharing permissions of the asset. You can perform tasks like restricting the file from being accessed by external users, groups, and so on.
Suspend Account: This action suspends the account of the user who caused the Event.
Ignore: This action ignored the violation. You can take this action when an event is false positive.
Copy Event Link: This action copies the link to the Event. You can share this link with other users or save it so that you can use the link to easily access the Event. This action is only displayed in the Event detail view.
Download: This action downloads the asset that triggered the Event. To perform this action, you must first go to the Asset tab and choose an asset. This action is only displayed in the Event detail view.
