Using GAT to detect a sharing policy violation
This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.
Security Lesson Part 1
In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)
Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.
Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.
Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.
When the Drive Files filter appears, add these additional search parameters on your existing Long Search.
- Updated after or equal today’s date dd/mm/yyyy hh:mm
- Sharing Flags contains Shared out
Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.
Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’
You can also choose who should receive this report which contains data on files shared out by user X each day.
Click on Apply & Schedule.
Now navigate to Scheduled reports on the configuration side menu.
You can modify your existing scheduled jobs from here.
If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.
Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.
Security Lesson Part 2
Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.
In this example we will take a look at files shared into a specific user.
In Drive audit, click on the ‘Apply custom filter’ button.
In the Drive Files filter popup apply the following search parameters.
- Sharing Flags contains Shared in
- Flags doesn’t contain Team Drive
- Editors contains (exact match) UserX’s email address
We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter
- Updated After or equal dd/mm/yyyy hh:mm
And click on Scheduled checkbox. Select how often you want the report to run.
Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.
Of course, we have made this easy for Admins – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.