How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.

 

Track Your Users’ Online Activities with GAT Shield

Using GAT Shield you can track your user’s browser activity throughout the day.

Below is a short tutorial explaining the feature. You can watch it instead of reading this post.

 

You can view what sites they spend most of their time on as well as their active time spent there.

 To start off we’re going to go to the User Activity section of GAT Shield.

Here we can see the timeline of any user.

Sites are ordered by the total duration of time spent, this will help you to quickly spot where the bulk of the time is spent by a user.

At the top left of this section, you can select the User you wish to view.

To the right, you can select the date you wish to investigate.

And in the top right you can choose to either view the data by Active time spent or view their activity in a 24-hour window.

user activity report in GAT Shield

The total chrome browser activity shows you a summary of the users total active time spent using their browser. Each colour represents a website, hovering over a colour will reveal it’s URL

See the sites visited while hovering over the report

Under this window, you can search for any specific website to see if your user is spending any of their time on that site. For example, you can see if your users are spending too much time on youtube.com

To the right, you can select the number of displayed sites.

See the amount of displayed sites in GAT Shield

Below you can view your users’ activity for every site they have visited. You can also see what percentage of the user’s day is spent on that site.

View a user's activity for every site they have visited

Google User Folder Structure Displayed in GAT+

GAT+ displays the User folder structure for each user on your domain 

In the ‘Users’ audit section, as you hover over each user, a new icon will appear beside the folder count.

Clicking on the folder icon will display the folder tree beneath the user’s photo or email.

Each folder name has a file count and a quota usage count for the folder itself.

Selecting any folder name and clicking on it will show you the exact file type breakdown of that folder.

You can click the > marker before the folder to expand or contract the folder to the next level.