Using GAT to detect a sharing policy violation
This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group or org.unit or any way file is shared to external domain/user.
In the GAT+ Drive audit under the ‘Files’ tab (1) click on the ‘Apply custom filter’ button(2).
In the filter select the ‘Type’ to ‘simple filter’ (3), then select the search parameters such as Owner (of the files), Updated after the previous day for example and Sharing flag is Shared out (4). Click ‘Apply’ (5) once you are ready with the filter.
Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.
Note: For the group of users or org.unit. select Type = User/Group/OU Search, then add the user/group/OU. Select ‘Ownership’ to be equal to ‘Owned’.
Again the Updated field and the Sharing flag.
When the search filter is chosen, click on ‘“Scheduled’ check-button.
Choose the time of ‘Occurrence’ as in the screenshot above ‘Every day – after midnight’, ‘Enabled’ check-mark and then ‘Apply & Schedule’.
Now navigate to Scheduled reports on the Configuration side menu.
You can modify your existing scheduled jobs from here.
If you want to create action with this policy you can click on Jobs Action Edit.
Setting up this scheduled report, the recipient will receive an email with a spreadsheet of all of the files shared out of User X each day.
Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there may be another vulnerability that exists with files shared in that may be used to leak sensitive data.
A user on your domain can copy and paste data into this shared document without your awareness.
That is why we recommend creating a schedule report which can show you the files shared into an individual user, an entire group, specific OU structure or folder.
In this example, we will take a look at files shared into a specific user.
In the Drive Files, apply the custom query builder and apply the following search parameters.
- Sharing Flags contains Shared in
- Flags doesn’t contain Shared Drive
- Editors contains (exact match) UserX’s email address
We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter as the example from Part 1.
- Updated After or equal dd/mm/yyyy hh:mm.
Select how often you want the report to run and click on ‘Apply & Schedule’ .
Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.
We have made this easy for Admins – for this type of report for the entire domain
In GAT+, under Audit and management open ‘One-Click Reports’ and select ‘Docs shared in or out changed in the last 24 hours’.