Content Scanning

Follow

Contents

Content scanning in BetterCloud enables you to locate, alert on, and automatically remediate files that contain sensitive data across your SaaS Integrations. 

You can find more detailed information about the kind of sensitive data that BetterCloud is scanning for here.

There are three ways of carrying out content scanning: 

  • Go Forward Policies: automatically scan any new or updated files that meet the criteria you define. 
  • Select Scans: select up to 100 files at a time to be scanned for the content you specify.
  • File Audits: target and scan all files that meet a certain set of criteria.

*Content Scanning is only available for customers on the following versions of BetterCloud (see Understanding BetterCloud Versions for more information):

  • Pro
  • Enterprise

BetterCloud currently supports Content Scanning for the following providers:

  • Google Drive
  • Box
  • Slack
  • Dropbox
  • Office 365

The the following file types can be scanned:

  • Google Docs (Docs, Slides, Sheets, Drawings)
  • .doc, .docx, .pages
  • .csv, .xls, .xlsx
  • .ppt, .pptx
  • .txt, .pdf

Please check out our Important Information/Requirements section for more important information.

How can I build a Go Forward Policy, Select Scan, or File Audit?

Go Forward Policies leverage our Alerts functionality. There are two types of Alerts that you can use to set up a Go Forward Policy: 

  1. Configure the Sensitive Data Scanned Alert template. This alert enables you to scan all files for sensitive information and supports additional conditions to scope the Alert further. 
  2. Add a content scanning condition to one of our exposure-focused Alert templates, allowing you to hone in on sensitive data that is being shared publicly, with users outside of your domain, or with all users on your domain.

Sensitive Data Scanned Alert

To get started, navigate to the Alerts Manager under Alerts > Manage from the left nav. The Sensitive Data Scanned alert is a template, meaning it must be configured prior to becoming active. Click on the Alert’s name, or select “Edit” from the carrot on the right side of the page to configure it.

Content_Scanning_1__1_.png

Name your Alert to make sure you can identify it later, and add a description.

Content_Scanning_2__1_.png

You can add a condition to scope this alert further, but it is not required.

Content_Scanning-3__1_.png

The Content Scanning section is where you can decide what type of content to look for. In this example we will look for United States Social Security Numbers. You can narrow the data types presented by using the dropdown for “Region” and “Category”.

Content_Scanning-4__1_.gif

Clicking the “+” symbol allows you to add additional information types. Select the trash can icon next to an information type to remove it from your selection.

Content_Scanning-5__1_.png

These additional conditions will function with OR logic, meaning that a file that contains any of the specified information types will trigger the alert.

By default the checkbox for “Include Private Files” will be unchecked and BetterCloud will not scan private files. You may check this box to include private files in the scan.

*Please Note: Including private files may significantly increase the amount of time the alert takes to process, and will remove any “Shared With” conditions from the alert.

As with any other alert, you can also set a threshold, and enable notifications through email, SMS, and webhook.

Select “Publish” to activate your new alert.

Content will be scanned upon the following events:

Google Drive

File Added

File Downloaded

File Edited

File Previewed

Sharing Setting Changed

Collaborator Added

Box

File Added*

File Downloaded

File Edited*

File Previewed

Shared Link Created*

Collaborator Added*

Slack

Public File Added

Public File Edited

File Shared Publicly

Dropbox

File Added*

File Downloaded

File Edited*

File Previewed

Shared File Downloaded

Shared File Viewed

File Downloaded via Shared Link

File Viewed via Shared Link

Shared Link Added*

Collaborator Added*

O365

File Added

File Edited

Shared Link Created

Collaborator Added

*Please Note: BetterCloud cannot guarantee that all events marked with an asterisk will be detected in the case of large folder trees.

Exposure Focused Alerts (Domain, Public, and Externally Shared) 

In order to identify sensitive data that has been shared publicly, with external users, or with your entire domain, you can add content scanning to one of the following alert templates from the Alerts Manager:

  • Files Shared Publicly
  • Files with Public Sharing Links
  • Files Shared Externally
  • Files Shared with Domain with Link
  • Files Shared with Domain

Other configurations for these alerts are essentially the same as for the Sensitive Data Scanned alert, but with built-in conditions for file exposure.

Content_Scanning_3.png

Adding content scanning to one of these alerts creates a new custom alert, which can then be used to trigger workflows to revoke external sharing or send you information about the triggering file.

Select Scans

To get started with a Select Scan, navigate to the Files grid by going to Files > Browse. In this grid you can do some initial filtering using the column filters to search for the files you want to target. Once you’ve located the files you want to scan, select the box next to them: 

mceclip1__2_.png

Next, select the Actions menu in the top right corner > choose “BetterCloud” to filter by BetterCloud specific Actions > and select “Scan Content”:

mceclip0.png

A new window will pop up where you can name your scan and configure the specific criteria you want to scan for:

mceclip3.png

The three categories you can condition by are:

  1. Regional Format - allows you to filter by a specific country’s data type 
    • (can be left as *All)
  2. Category - denotes the kind of data you want to scan for 
    • (ie: Financial, Government, Health, etc) 
    • (can be left as *All)
  3. Data Type - the actual data the scan is searching for
    • The results in this dropdown will be filtered based on what you choose in the other two fields.

To add more conditions, click the + button. You can add up to 10 conditions, and any additional conditions will be considered “OR” conditions (meaning the document being scanned only needs to match one of the conditions you specify for it to be flagged as a “Violation”).

Once you are finished adding conditions, click the “Scan Files” button at the bottom right to start your Scan:

mceclip4.png

You can click “View Scans” to view the progress of that Scan, or you can click “Done” to finish.

mceclip5.png

File Audits

To get started with a File Audit, navigate to Files > Scans and click “New Scan” in the top right corner: 

mceclip1.png

A new window will pop up where you can start building your File Audit. On the first page of the Audit you will be presented with file-specific criteria to help narrow what kinds of files your Audit will target.  

mceclip1.png

Criteria you can sort by on in this page include:

  1. Permissions: allows you target files with specific sharing permissions (ie: Public, External, and Internal). Check all the boxes if you want to target all Files in your domain.
  2. Integrations: allows you target all Integrations or a specific Integration 
  3. File Owner: allows you to target all Files Owned by a specific User
  4. Shared With: allows you to target all Files Shared With a specific User

The number of Files to be audited is displayed in the bottom left corner. This number updates in real time as you adjust your search criteria.

mceclip2.png

Please Note:

  • the “File Owner” and “Shared With” fields are wildcard fields, meaning BetterCloud will search for partial matches instead of exact matches for the content you enter (ie: entering "gmail.com" in the "Shared with" field will find all documents shared with gmail.com addresses). 
  • scans targeting over 500,000 files may take a significant amount of time to complete

Select “Next” to continue to the 2nd page where you can configure the data-specific criteria you want your Audit to Scan for:

mceclip10__1_.png

Similar to the Select Scan options, the three categories you can condition by are:

  1. Regional Format - allows you to filter by a specific country’s data type 
    • (can be left as *All)
  2. Category - denotes the kind of data you want to scan for 
    • (ie: Financial, Government, Health, etc) 
    • (can be left as *All)
  3. Data Type - the actual data the scan is searching for
    • The results in this window will be filtered based on what you choose in the other two fields.

To add more conditions, click the + button. You can add up to 10 conditions, and any additional conditions will be considered “OR” conditions (meaning the document being scanned only needs to match one of the conditions you specify for it to be flagged as a “Violation”). 

Once you are finished adding conditions, you can click the “Begin Scan” button at the bottom right to start your Scan.

You have now kicked off your scan and can select "Done" on the next page to return to the Scans menu.

mceclip11.png

Auditing Results 

Go Forward Policy Alert Results

Once your Go Forward Policy Alert has triggered, it will display on the Triggered Alerts page, under Alerts > Triggered from the left nav.

Content_Scanning_4.png

Click on the result in the "Matches" column to review the matches. The review flyout shows the name of the file, the number of matches, and the date and time when the file triggered the alert. Files with multiple matches will only appear once in the review flyout. Click on the link under the “Violations” column to view the list of matches. The page shows the title of the file, a link to view the file, the owner, the category that was matched, and the matched text. The list of matched entries is partially obscured for security purposes.

Content_Scanning-review.png

BetterCloud also provides a link for you to view the file if one is available (note: a "View File" link will only show if certain sharing setting requirements are met):

Content_Scanning-view_file.png

Targeted Scans and File Audit Results

Once you kick off a Targeted Content Scan or File Audit, you can navigate to the Files > Scan grid to see all of your "In Progress" and "Completed" scans. Each tab's title will show the number of In Progress and Completed Scans at that time: 

mceclip0__1_.png

View the "In Progress" grid to view information about any scans currently running, including the scan's start date, name, and status. The "Status" column indicates where in the process the scan is and will reflect the number of files already scanned out of the total number of files targeted: 

mceclip5__1_.png

Press the "Refresh" button in the top left corner to update the information in the grid. You can stop an in progress scan by selecting the X button next to the scan under "Actions". 

mceclip1__1_.png

View the "Completed" grid to view the details of scans that have already finished, including the scan's completed date, name, and results. The "Results" column will show an overview of what occurred, including how many violations were found (if any), how many files could not be scanned, and how many files were scanned but did not violate the conditions set. 

mceclip7.png

Click into a scan's name to view the scan's criteria and targeted files. This grid is similar to the normal Files grid under Files > Browse, allowing you to leverage advanced filters and a search bar to easily audit your data.

mceclip19.png

To view what information the scan was searching for, select "Scan Criteria":

mceclip10.png

Selecting a File's Name will take you to view the File's details in BetterCloud:

mceclip13.png

mceclip14.png

Selecting "Violations" under the "Results" column takes you to a list of violations BetterCloud detected for this specific file: 

mceclip15.png

The review flyout shows the name of the file in the top left corner, the "Category" the scanned data falls under (ie: SSN, Credit Card, Passport, etc), and a partial view each matched entry. The list of matched entries is partially obscured for security purposes. 

mceclip17.png

BetterCloud will provide a link to a document when applicable, but your ability to view it is dependent on the document's sharing settings. Below is a list of sharing setting requirements that need to be met for you to access a file. mceclip18.png

Please Note: 

BetterCloud will provide a link to a document when applicable. Below is a per provider list of sharing settings where you will see a "View File" link:

  • Box - Files with public sharing links support view links. Box generates links to files when a public sharing link has been generated for that file.
  • Dropbox - Files with public sharing links support view links. Dropbox generates links to files when a public sharing link has been generated for that file.
  • G Suite - All file sharing levels support view links. However, if your account does not have access to the file based on its current sharing settings, clicking on the link will send you to a request access page - access is in not provided automatically.
  • O365- All file sharing levels support view links. However, if your account does not have access to the file based on its current sharing settings, clicking on the link will send you to a request access page - access is in not provided automatically.
  • Slack - Public file sharing levels support view links.

In addition, your experience may differ depending on where the file you are attempting to access is stored (ie: OneDrive, Google, Dropbox, etc), the sharing settings of that file, and how you authenticated (logged in) to BetterCloud.

  • For example, if you are attempting to access a Google file and authenticated to app.bettercloud.com using a Google account, your account will A) need to be a collaborator on the document, or B) the document will have to have some kind of domain/public permissions. 
  • In another example, if you are attempting to access an O365 file an authenticated to app.bettercloud.com using your Okta credentials, you will likely be met with the O365 Login page first. Once you authenticate with your O365 credentials, your account will A) need to be a collaborator on the document, or B) the document will have to have some kind of domain/public permissions.
  • You will always be prompted to login in to Dropbox, Box, and Slack if you are not already logged in under the same session, whereas you may be taken directly to a Google or O365 file since you can sign into app.bettercloud.com with those two platforms.

You may see messages under the "Results" column indicating a file was not scanned. These messages include, but are not limited to: 

  • Unsupported File Type - the target file is not a File Type we support for scanning. See the beginning of this article for supported File Types.
  • File size too large - the document selected has a greater number of characters in its text than we can currently support scanning. The number of characters exceeds our current limit of 500,000.
  • Data could not be retrieved - can be thrown if the Owner of the document has changed since we started the scan, if the File has been deleted but has not been removed from BetterCloud yet. BetterCloud will attempt to download a file 3 times in 30 minutes before throwing this error.

Triggering a Workflow from a Go Forward Policy

As with any other Alert, once a content scanning alert is published, it can be used as a workflow event. You can locate it under the Alerts dropdown for the relevant integration in the WHEN section of the Workflow Builder.

mceclip0__2_.png

Once the workflow is published, future events that trigger the alert will also trigger the workflow, allowing you to take automated action based on sensitive data identified on your domain.

Please Note: Workflows will only take action on files that triggered the alert after it has been published.

For more use cases on automating Go Forward Policies with Workflows, please see our data loss prevention use case articles.

Taking Action on Violating Files

To take Action on Files violating a scan or policy, please see the section "Taking Action on Files" in our "File Management in BetterCloud" Article.

Important Information/Requirements 

  • Content Scanning is only available for customers on the Pro and Enterprise versions of BetterCloud.
  • In order to perform content scanning, BetterCloud downloads each file that is subject to be scanned. You will see these download operations appear in the different provider audit logs.
  • Scans are only carried out on a document after it has not been edited for at least 5 minutes.
  • You cannot delete a completed scan.
  • A "View File" link will only show if certain sharing setting requirements are met
  • BetterCloud may be unable to scan Files for various reasons. Here are some common messages/reasons you may see.
  • When scanning documents, BetterCloud employs additional validation besides a basic regular expression match. If you are testing with dummy data, it will have to meet this additional validation in order for your data to be picked up by a Scan. For example, if you are testing Social Security Number scans, you will not be able to only enter a random 9 digit number. It will also need to match the pattern of a valid Social Security Number 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request