Today in How to Automate, we will learn how users can automate the monitoring of file visibility changes and their remediation to improve their Google Drive security posture.

As said in a former article (see How to Automate: Monitor and delete permissions on Google Drive in an easy way in 10 minutes), we described the value that tools such as Google Workspace or Microsoft 365 can bring to organizations.

Making readily available for every employee from anywhere brings lots of flexibility for modern organizations. It facilitates real-time collaboration among team members and provides familiar interfaces and feature-rich functionalities, allowing users to create, edit, and share documents easily. On top of that, the integration with cloud storage enables access to files from anywhere, on any device, enhancing overall productivity and efficiency.

However, as we already said, with these benefits come risks. One of them is the ability, willfully or negligently, to share documents outside of the organization. This can go either by creating permissions to targeted personas, as discussed in the previous How to Automate or by making the link to a document accessible by anyone who would have the link in their possession.

Such sharing may have a reason, and all sharing mustn't be forbidden. Still, when it comes to Data Loss or, more broadly, insider risks, one has to implement a proper risk management strategy covering their Google Drive or Microsoft 365 spaces.

This is what we are going to do today. By orchestrating together 5 services, which are  Google Admin Reports, Google IAM Service Accounts Credentials, Google OAuth, Google Drive, and Slack, we will build an automated workflow covering detection, identification, notification, and remediation. From the user of Mindflow's perspective, they will only have to click either "Remediate" or "Close" and ask the owner about the incident before doing so. A true time savior to improve Google Drive security!

Improve Google Drive security by monitoring files' visibility - First steps.

The first thing we need to do is ensure we have the right credentials and permissions. On the Google Cloud console, make sure the Admin Reports API is enabled and that your service account has the scope https://www.googleapis.com/auth/admin.reports.audit.readonly.

On Mindflow, ensure the service account credentials you registered have the same scope included.

Now, we want to create a channel between Google and Mindflow in which notifications will flow to the targeted playbook. To do so, create a new playbook on the platform that you will name "Schedule: Start monitoring Google Drive activities by filters". Yes, you can change the name to something sexier! Then, please choose your favorite emoji, and let's get started.

This first flow is pretty thorough, click right to create a new step and, in the Finder, reports.activities.watch or Watchs activities to find the right step. Click it to create the step and open the configuration panel. Now, click the processor icon on the top right of the step configuration pop-over. Configure the fields as such:

• User key: all (we will watch activities from all users)

• Application name: drive

• Address: This is the second playbook's webhook that will receive information from the channel we will create later. Leave it empty for now.

• Type: web_hook

• Expiration: Click the fx icon on the right of the field. Once there, click "Add a function" and look for Get time. Apply the function, set the Granularity to Milliseconds (ms), and apply another one called Sum. Make sure that there is the pill Previous value in the input field. Right next to it, press space and add "21600000". As Delimiter choose "Space". This will compute an expiration time of 6 hours every time this step is executed. This timeframe is the maximum Google allows us to Watch activities.

• Id: Create your channel name, such as drive_change_visibility

• Event name: change_document_visibility.

We only have the Address field to fill in now. Let's hop on the scheduler to create an automatic trigger every 6 hours. To do so, click the calendar icon next to the playbook's title. To configure it, select "At regular intervals", "Daily", then select "5,11,17,23" for hours and "59" for minutes. Click save. Your playbook will be automatically executed every 6 hours, with no downtime in monitoring!

To finish the setup, go back to the homepage to create another playbook, the one we will use to handle incoming alerts. Name it as you want, such as "Webhook: File made accessible to anyone with link" and choose your emoji! Open it and click the gear icon in the top left of the canvas. Copy the second link starting from the bottom. Returning to your first playbook, paste this link in the Address field.

Run the Flow once to see if everything checks out. Congrats!

Improve Google Drive security by monitoring files' visibility - Creating the second Flow.

Now on the second Flow configuration that will handle the Google Drive security incidents. This section is divided into two subsections, each representing a milestone. The first concerns the detection of Google Drive security incidents and the notification to the targeted team. The second describes setting up the automated Google Drive security remediation process. Ensure you have the following credentials and scopes ready.

• Google IAM

Create a JWT credential in Mindflow's Vault with the scope https://www.googleapis.com/auth/iam and configure the credentials, as shown in the picture below. Ensure you create this credential for an HTTP Request, not a Google service.

• Slack

Ensure your bot has the scope channel:write and the credentials registered in Mindflow's vault.

Good. Now, before starting the build, let's have a quick look at the final flow.

Setting up the alerting

If not triggered already, go on Drive and change the Visibility of one of the documents to trigger the flow and generate a payload that we will use to work on.

When done, start by creating a condition named New visibility. Create two branches, one leading to the step "Success" that is named else, the other leading to a Transform data (TD) named Extracting accessScope. Configure the second branch, named people_with_link, as such: In the first field, type "/" to open the Data Picker tool. Click the webhook that will be named APIs-Google. On the body of the webhook, follow the path value/events/0/parameters/9. This object comprises the visibility property and its value. Pick value.

Select the operator "Is equal to" and write down below people_with_link. Back to the condition main panel, click the three dots that will appear as you move your cursor on the left of the branch else and select "Use as else".

This condition will triage events between the values private, people_within_domain_with_link, and people_with_link. When an event will comprise people_with_link, we deem it worth sending a notification to the relevant team.

Before sending the notification, we want to retrieve the access scope configured with this link. It can be either can_view, can_comment, or can_edit. According to your strategy, you can triage these events to select only can_comment and can_edit, or only can_edit, or the three. We will monitor the three events in this example, so we just have to extract the new scope event.

To do so, open the configuration panel of your Extracting accessScope TD. In it, click "Add an item". Name it newAccessScope. Now, type "/" to open the Data Picker and go again in the Google webhook's payload. Follow the path value/events/2/parameters/5/multiValue and pick the object 0. This object will have the properties we want to extract. Doing so helps us create a variable we will invoke in the next step.

To create the next step, click the icon Add a new step below the last step and look for chat_postMessage or Sends a message to a channel in the Finder. Open the configuration panel, make sure the Slack credentials are properly filled in the SETTINGS tab, and go to the INPUT tab. Here, fill in the channel ID to where you want to be notified and click the processor icon to display all the fields. Look for Blocks and paste the following and make sure you create pills when indicated between brackets:

[
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "ALERT - LOW 🟡 Document made accessible to people_with_link"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "Actor:n[Open the Data Picker and pick email in value/actor]"
},
{
"type": "mrkdwn",
"text": "Title of the document:n[Pick value in value/events/0/parameters/7]"
},
{
"type": "mrkdwn",
"text": "Owner of the document:n[Pick value in value/events/0/parameters/3]"
},
{
"type": "mrkdwn",
"text": "Visibility:n[value/events/0/parameters/9]"
},
{
"type": "mrkdwn",
"text": "Access scope:n[Invoke newAccessScope]"
}
]
},
{
"type": "actions",
"block_id": "[Create a Resume execution ID pill by opening the Data Picker and clicking Resume under FLOW]",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "[Name of the button for Remediation]"
},
"style": "primary",
"value": "click_me_123"
},
{
"type": "button",
"text": {
"type": "plain_text",
"emoji": true,
"text": "[Name of the button to close the incident]"
},
"style": "danger",
"value": "click_me_123"
}
]
}
]

This step being asynchronous through the Resume execution ID, you can configure the time out of the resume execution to fit your needs. To do so, go into the SETTINGS tab and look for the field "Resume execution timeout (seconds)". Type the time you prefer.

Let's create a condition right after this Slack step to finish this first milestone. Name it Decision?. Create two branches, one leading to a Slack chat_postMessage step named Close and another branch (Start remediation) leading to a TD named Prepare impersonation.

Before proceeding forward, try setting up a new visibility to people_with_link in Google Drive to generate a notification on Slack. Make sure you click either button to generate a log for us to work on.

Once done, go back on the canva and open the Decision? Condition's Start remediation branch. In the first field, open the Data Picker to inspect the Slack step, make sure you select the log with the small webhook icon. Inspect the payload with the following path payload/actions/0 and select style. Select the operator "Is equal to" then type primary. Do the same for the branch Close but type danger instead of primary.

First milestone is complete!

Setting up the automated remediation

Open the Prepare impersonation TD. Inside, create 5 items that you will name: iat, sub, exp, impersonated_claim_set, and escape. Configure them as such:

• iat (issued at): create a Get time function to generate the current Unix time in seconds.

• sub (the impersonated user): Pick the email address of the actor in the Google webhook payload in value/actor.

• exp: Again, create a Get time function in seconds and apply a Sum function where you will add 3600 seconds to the previous value, which is the current Unix time. This will set the lifetime duration of the JSON Web Token that we will generate later.

• impersonated_claim_set: paste and complete the following JSON:

{
"iss": "[YOUR GOOGLE SERVICE ACCOUNT ADDRESS]",
"scope": "https://www.googleapis.com/auth/drive",
"aud": "https://oauth2.googleapis.com/token",
"iat": [call iat],
"exp": [call exp],
"sub": "[call sub]"
}

• escape: call impersonated_claim_set and apply an Escape string function configured as such: Escape level * Special chars, Escape quote * Double, JSON Compatible enabled.

You are ready to proceed forward! From there, we will have to create HTTP Requests by hand. Create the first request named Generate impersonated JWT token. Set Method * to POST. In URL * paste https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[YOUR SERVICE ACCOUNT ADDRESS]:signJwt. Open the Body section and mark it as JSON. Inside write

{ 
   "payload": [Invoke Escape]
}

In the SETTINGS panel, make sure you have selected your JWT credential. Run it once to generate a JWT. 

Once done, create another HTTP Request named Generate impersonated access token. Select POST and paste https://oauth2.googleapis.com/token in URL *. In Body as URL-encoded, create grant_type and paste urn:ietf:params:oauth:grant-type:jwt-bearer. Below, create assertion and Pick signedJwt from the first HTTP Request logs. Run it once to generate logs. At this point, the impersonation process is done. We will now configure steps to find and revert the files' visibility to private.

Create one last HTTP Request that you will name Reset file's visibility. Set Method to DELETE. In the URL, paste https://www.googleapis.com/drive/v2/files/[Pick value in value/events/0/parameters/4]/permissions/anyoneWithLink (anyoneWithLink is the permission ID of people_with_link).

In Headers, add an item named Authorization and type "Bearer", press space, and pick access_token from Generate impersonated access token's logs.

Run the step one to reset a file's visibility and generate logs. Great! On to the last steps! Create a chat_postMessage. Open the configuration panel, click the processor icon, and fill in the following fields with the corresponding values from the first Slack step's logs: Channel, Thread ts (with the value ts). In Text, type any text and pick the values you feel like, such as Remediation successful. Visibility reverted to Private. Date: [Pick the Reset file's visibility execution date in the Headers of the logs].

Back to the other branch of the Decision? condition. Here, it is pretty thorough. Create a new chat_postMessage, fill in the Channel and Thread ts fields and, as Text, write something in the tune of "Ticket closed. Not an incident.".

Et voilà! Your first Google Drive security Flow is ready. Congrats!