How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or a particular external target such as a user or a domain. 


Security Lesson Part 1

In the Drive Audit, select Owners and enter the name of a local user against whom you wish to make a policy watch.  (For a group of users, add the group name to the ‘Local User/Group’ field and leave the owners field blank.)

Select today’s date

and hit ‘Search Documents’

hit ‘Search Documents’

After the results are returned, hit ‘Out’, above the results table (Next to the trash can in the screenshot above).

Nothing might be returned, but that’s OK, you are just building a policy, which is now ready,

Docs shared out not deleted with Owners [] modified from 23/01/2013

Next hit ‘Schedule/Save’, this will take you through to the scheduler.

Next hit ‘Schedule/Save’

Here you can set this rule as an Audit (which returns a report every day), a Policy (which notifies you only when the condition is met and sends you a report) or a Notify (which just sends you an email saying the condition is met) – in this case we are setting a policy to detect files shared out by  You can notify other users, separate email addresses by commas. We are notifying the security group on another domain.

The report can be a PDF or a CSV (in some cases because of the report type only a CSV is returned).

Next, I have selected ‘Custom Cron’ to build a cron string that would run my job, every day just after midnight my time.

Hit ‘Update’ and you are done!

Every night, just past midnight, this policy will be checked to see if user shared any files out. If he has those on the notification list will be alerted with the name of the file(s).


Security Lesson Part 2

So you have checked for all the files the ‘user’ is sharing out, do you think this has got you covered against data leakage using file sharing?

If you do, think again.

Remember any file ‘shared in’ can be used as a conduit to get information out, so you have got to monitor for files shared into the user also. To do this we more or less repeat the steps above for the initial audit.

Hit ‘Clear Filter’ to start a fresh search.

In the Docs Audit, select ‘Editors’ (note in the first part we picked ‘Owners’, but for shared in we pick ‘Editors’, as local users can never own a file shared into them and we are not interested in files they can only view) and enter the name of a local user.

Select today’s date

and hit ‘Search Documents’

Click on Search documents after selecting todays date

After the results are returned, hit ‘In’, above the results table.

Now we need to combine the ‘In’ filter and the ‘Out’ filter to get the whole sharing story.

Next, we need to combine the two filters together, to do this select the tab ‘Recent Filters’

Select 'recent filters' to combine two filters together

Pick the filters for the files shared out and the files shared in and combine them with ‘OR’, then hit ‘Show’.

This will bring up a new filter with both conditions combined.

When the new filter appears you then select ‘Schedule’ and run it daily after midnight as before.

Of course, we make this easy for Admins  – for this type of report for the entire domain, just go to ‘Scheduled Reports’, select ‘What’s Hot Reports’ – ‘New Report’. From the drop-down list pick ‘Docs shared in or out in the last 24 hours’ (use Custom cron to schedule for after midnight) and fill out the rest of the details to suit yourself.