From d46367862890fb89222f78e4d5a5f58ffc8f06a5 Mon Sep 17 00:00:00 2001
From: snarve <108771509+snarve@users.noreply.github.com>
Date: Mon, 15 Jul 2024 10:58:29 -0700
Subject: [PATCH] Add Detailed report messages for Drive&Docs (#300)

Update Drive and Docs rego and unit tests to support detailed report messages and group override policy

---------

Co-authored-by: Lauren Bassett <laurenebassett@gmail.com>
Co-authored-by: Alden Hilton <adhilto@sandia.gov>
Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com>
---
 Testing/RegoTests/drive/drive01_test.rego | 248 +++++++--
 Testing/RegoTests/drive/drive02_test.rego |  83 +--
 Testing/RegoTests/drive/drive03_test.rego |  18 +-
 Testing/RegoTests/drive/drive04_test.rego |  15 +-
 Testing/RegoTests/drive/drive05_test.rego |  15 +-
 Testing/RegoTests/drive/drive06_test.rego |  37 +-
 rego/Drive.rego                           | 619 +++++++++++++++++-----
 scubagoggles/provider.py                  |   1 +
 8 files changed, 792 insertions(+), 244 deletions(-)

diff --git a/Testing/RegoTests/drive/drive01_test.rego b/Testing/RegoTests/drive/drive01_test.rego
index cb634119..fbd74a33 100644
--- a/Testing/RegoTests/drive/drive01_test.rego
+++ b/Testing/RegoTests/drive/drive01_test.rego
@@ -29,7 +29,7 @@ test_Sharing_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V2 if {
@@ -67,7 +67,7 @@ test_Sharing_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V3 if {
@@ -105,7 +105,7 @@ test_Sharing_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Incorrect_V1 if {
@@ -165,7 +165,10 @@ test_Sharing_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Files owned by users or shared drives can ",
+    "be shared outside of the organization</li></ul>"])
 }
 
 test_Sharing_Incorrect_V3 if {
@@ -203,7 +206,10 @@ test_Sharing_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Files owned by users or shared drives can ",
+    "be shared outside of the organization</li></ul>"])
 }
 
 test_Sharing_Incorrect_V4 if {
@@ -241,7 +247,10 @@ test_Sharing_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "Files owned by users or shared drives can ",
+    "be shared outside of the organization</li></ul>"])
 }
 
 test_Sharing_Incorrect_V5 if {
@@ -305,7 +314,7 @@ test_Receiving_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Receiving_Correct_V2 if {
@@ -343,7 +352,7 @@ test_Receiving_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Receiving_Correct_V3 if {
@@ -381,7 +390,7 @@ test_Receiving_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Receiving_Incorrect_V1 if {
@@ -441,7 +450,8 @@ test_Receiving_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users can recieve files outside the domain</li></ul>"])
 }
 
 test_Receiving_Incorrect_V3 if {
@@ -479,7 +489,9 @@ test_Receiving_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users can recieve files outside the domain</li></ul>"])
+
 }
 
 test_Receiving_Incorrect_V4 if {
@@ -517,7 +529,8 @@ test_Receiving_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Users can recieve files outside the domain</li></ul>"])
 }
 
 test_Receiving_Incorrect_V5 if {
@@ -580,7 +593,7 @@ test_Warnings_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Warnings_Correct_V2 if {
@@ -618,10 +631,10 @@ test_Warnings_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
-test_Warningsr_Correct_V3 if {
+test_Warnings_Correct_V3 if {
     # Test sharing setting when there's multiple OUs
     PolicyId := "GWS.DRIVEDOCS.1.3v0.2"
     Output := tests with input as {
@@ -656,7 +669,7 @@ test_Warningsr_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Warnings_Incorrect_V1 if {
@@ -716,7 +729,8 @@ test_Warnings_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: External Sharing Warning is Disabled</li></ul>"])
 }
 
 test_Warningsr_Incorrect_V3 if {
@@ -754,7 +768,8 @@ test_Warningsr_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: External Sharing Warning is Disabled</li></ul>"])
 }
 
 test_Warnings_Incorrect_V4 if {
@@ -792,7 +807,8 @@ test_Warnings_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: External Sharing Warning is Disabled</li></ul>"])
 }
 
 test_Warnings_Incorrect_V5 if {
@@ -865,7 +881,7 @@ test_NonGoogle_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_NonGoogle_Correct_V2 if {
@@ -913,7 +929,7 @@ test_NonGoogle_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_NonGoogle_Correct_V3 if {
@@ -971,7 +987,7 @@ test_NonGoogle_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_NonGoogle_Incorrect_V1 if {
@@ -1041,7 +1057,10 @@ test_NonGoogle_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "External sharing is enabled and ",
+    "items can be shared to non-google accounts</li></ul>"])
 }
 
 test_NonGoogle_Incorrect_V3 if {
@@ -1099,7 +1118,10 @@ test_NonGoogle_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "External sharing is enabled and ",
+    "items can be shared to non-google accounts</li></ul>"])
 }
 
 test_NonGoogle_Incorrect_V4 if {
@@ -1157,7 +1179,10 @@ test_NonGoogle_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "External sharing is enabled and ",
+    "items can be shared to non-google accounts</li></ul>"])
 }
 
 test_NonGoogle_Incorrect_V5 if {
@@ -1220,7 +1245,7 @@ test_Link_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Link_Correct_V2 if {
@@ -1258,7 +1283,7 @@ test_Link_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Link_Correct_V3 if {
@@ -1296,7 +1321,7 @@ test_Link_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Link_Incorrect_V1 if {
@@ -1356,9 +1381,9 @@ test_Link_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Published web content can be made visible to anyone with a link</li></ul>"])
 }
-
 test_Link_Incorrect_V3 if {
     # Test sharing setting when there are multiple events and the most recent is wrong
     PolicyId := "GWS.DRIVEDOCS.1.5v0.2"
@@ -1394,7 +1419,8 @@ test_Link_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Published web content can be made visible to anyone with a link</li></ul>"])
 }
 
 test_Link_Incorrect_V4 if {
@@ -1432,7 +1458,8 @@ test_Link_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Published web content can be made visible to anyone with a link</li></ul>"])
 }
 
 test_Link_Incorrect_V5 if {
@@ -1496,7 +1523,7 @@ test_SharingChecker_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharingChecker_Correct_V2 if {
@@ -1534,7 +1561,7 @@ test_SharingChecker_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharingChecker_Correct_V3 if {
@@ -1572,7 +1599,7 @@ test_SharingChecker_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharingChecker_Incorrect_V1 if {
@@ -1632,7 +1659,10 @@ test_SharingChecker_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Access Checker allows users to share ",
+    "files to the public (no Google account required)</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V3 if {
@@ -1670,7 +1700,10 @@ test_SharingChecker_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Access Checker allows users to share ",
+    "files to the public (no Google account required)</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V4 if {
@@ -1708,7 +1741,10 @@ test_SharingChecker_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "Access Checker allows users to share ",
+    "files to the public (no Google account required)</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V5 if {
@@ -1771,7 +1807,7 @@ test_CrossDomain_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_CrossDomain_Correct_V2 if {
@@ -1809,7 +1845,7 @@ test_CrossDomain_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_CrossDomain_Correct_V3 if {
@@ -1847,7 +1883,7 @@ test_CrossDomain_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_CrossDomain_Incorrect_V1 if {
@@ -1907,11 +1943,14 @@ test_CrossDomain_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", [  "The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Anyone can distribute content in the organization to outside the organization</li></ul>"])
 }
 
 test_CrossDomain_Incorrect_V3 if {
-    # Test sharing setting when there are multiple events and the most recent is wrong
+    # Test sharing setting when there are multiple events and
+    # the most recent is wrong, set to anyone can distribute content. 
     PolicyId := "GWS.DRIVEDOCS.1.7v0.2"
     Output := tests with input as {
         "drive_logs": {"items": [
@@ -1945,11 +1984,14 @@ test_CrossDomain_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", [  "The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Anyone can distribute content in the organization to outside the organization</li></ul>"])
 }
 
 test_CrossDomain_Incorrect_V4 if {
-    # Test sharing setting when Top OU is correct but not secondary OU
+    # Test sharing setting when Top OU is correct but not secondary OU,
+    # which is set to Anyone in the Organization
     PolicyId := "GWS.DRIVEDOCS.1.7v0.2"
     Output := tests with input as {
         "drive_logs": {"items": [
@@ -1983,9 +2025,12 @@ test_CrossDomain_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "Anyone can distribute content in the organization to outside the organization</li></ul>"])
 }
 
+
 test_CrossDomain_Incorrect_V5 if {
     # Test sharing setting when Top OU is not present
     PolicyId := "GWS.DRIVEDOCS.1.7v0.2"
@@ -2017,6 +2062,47 @@ test_CrossDomain_Incorrect_V5 if {
         "is non-compliant; manual check recommended."
     ])
 }
+
+test_CrossDomain_Incorrect_V6 if {
+    # Test sharing setting when there are multiple events and
+    # the most recent event is wrong, set to only users in the organization
+    PolicyId := "GWS.DRIVEDOCS.1.7v0.2"
+    Output := tests with input as {
+        "drive_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS"},
+                        {"name": "NEW_VALUE", "value": "CROSS_DOMAIN_FROM_INTERNAL_ONLY"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS"},
+                        {"name": "NEW_VALUE", "value": "CROSS_DOMAIN_MOVES_BLOCKED"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": ""
+        },
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Only users inside the organization can distribute content outside of the organization</li></ul>"])
+}
 #--
 
 #
@@ -2047,7 +2133,7 @@ test_Default_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Default_Correct_V2 if {
@@ -2085,7 +2171,7 @@ test_Default_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Default_Correct_V3 if {
@@ -2123,7 +2209,7 @@ test_Default_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Default_Incorrect_V1 if {
@@ -2183,7 +2269,12 @@ test_Default_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:",
+        "<ul><li>Test Top-Level OU: When users create items, the default access is set to: ",
+        "The primary target audience can search and find the item.</li></ul>"
+
+    ])
 }
 
 test_Default_Incorrect_V3 if {
@@ -2221,7 +2312,11 @@ test_Default_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:",
+        "<ul><li>Test Top-Level OU: When users create items, the default access is set to: ",
+        "The primary target audience can search and find the item.</li></ul>"
+    ])
 }
 
 test_Default_Incorrect_V4 if {
@@ -2259,7 +2354,12 @@ test_Default_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:",
+        "<ul><li>Test Secondary OU: When users create items, the default access is set to: ",
+        "The primary target audience can search and find the item.</li></ul>"
+
+    ])
 }
 
 test_Default_Incorrect_V5 if {
@@ -2292,4 +2392,48 @@ test_Default_Incorrect_V5 if {
         "While we are unable to determine the state from the logs, the default setting ",
         "is non-compliant; manual check recommended."
     ])
+}
+
+test_Default_Incorrect_V6 if {
+    # Test sharing setting when Top OU is correct but not secondary OU
+    PolicyId := "GWS.DRIVEDOCS.1.8v0.2"
+    Output := tests with input as {
+        "drive_logs": {"items": [
+            {
+                "id": {"time": "2022-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "DEFAULT_LINK_SHARING_FOR_NEW_DOCS"},
+                        {"name": "NEW_VALUE", "value": "PRIVATE"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
+                    ]
+                }]
+            },
+            {
+                "id": {"time": "2021-12-20T00:02:28.672Z"},
+                "events": [{
+                    "parameters": [
+                        {"name": "SETTING_NAME", "value": "DEFAULT_LINK_SHARING_FOR_NEW_DOCS"},
+                        {"name": "NEW_VALUE", "value": "PEOPLE_WITH_LINK"},
+                        {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
+                    ]
+                }]
+            }
+        ]},
+        "tenant_info": {
+            "topLevelOU": "Test Top-Level OU"
+        },
+    }
+
+    RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId]
+    count(RuleOutput) == 1
+    not RuleOutput[0].RequirementMet
+    not RuleOutput[0].NoSuchEvent
+    RuleOutput[0].ReportDetails == concat("", [
+        "The following OUs are non-compliant:",
+        "<ul><li>Test Secondary OU: When users create items,",
+        " the default access is set to: ",
+        "The primary target audience can access the item if they have the link</li></ul>"
+
+    ])
 }
\ No newline at end of file
diff --git a/Testing/RegoTests/drive/drive02_test.rego b/Testing/RegoTests/drive/drive02_test.rego
index 5c4bacbb..f4a99492 100644
--- a/Testing/RegoTests/drive/drive02_test.rego
+++ b/Testing/RegoTests/drive/drive02_test.rego
@@ -29,7 +29,7 @@ test_Managers_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Managers_Correct_V2 if {
@@ -67,7 +67,7 @@ test_Managers_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Managers_Correct_V3 if {
@@ -105,7 +105,7 @@ test_Managers_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Managers_Incorrect_V1 if {
@@ -165,7 +165,8 @@ test_Managers_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Members with manager access can override shared drive settings.</li></ul>"])
 }
 
 test_Managers_Incorrect_V3 if {
@@ -203,7 +204,8 @@ test_Managers_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Members with manager access can override shared drive settings.</li></ul>"])
 }
 
 test_Managers_Incorrect_V4 if {
@@ -241,7 +243,8 @@ test_Managers_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Members with manager access can override shared drive settings.</li></ul>"])
 }
 
 test_Managers_Incorrect_V5 if {
@@ -307,7 +310,7 @@ test_Outside_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Outside_Correct_V2 if {
@@ -351,7 +354,7 @@ test_Outside_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Outside_Correct_V3 if {
@@ -395,7 +398,7 @@ test_Outside_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Outside_Incorrect_V1 if {
@@ -458,7 +461,8 @@ test_Outside_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users outside the organization can access files in shared drives</li></ul>"])
 }
 
 test_Outside_Incorrect_V3 if {
@@ -502,7 +506,8 @@ test_Outside_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users outside the organization can access files in shared drives</li></ul>"])
 }
 
 test_Outside_Incorrect_V4 if {
@@ -546,7 +551,8 @@ test_Outside_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Users outside the organization can access files in shared drives</li></ul>"])
 }
 
 test_Outside_Incorrect_V5 if {
@@ -615,7 +621,7 @@ test_SharedDrive_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharedDrive_Correct_V2 if {
@@ -659,7 +665,7 @@ test_SharedDrive_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharedDrive_Correct_V3 if {
@@ -703,7 +709,7 @@ test_SharedDrive_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_SharedDrive_Incorrect_V1 if {
@@ -766,7 +772,8 @@ test_SharedDrive_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: People who aren't shared drive members can be added to files</li></ul>"])
 }
 
 test_SharedDrive_Incorrect_V3 if {
@@ -810,9 +817,11 @@ test_SharedDrive_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: People who aren't shared drive members can be added to files</li></ul>"])
 }
 
+
 test_SharedDrive_Incorrect_V4 if {
     # Test sharing setting when top OU is correct but secondary isn't
     PolicyId := "GWS.DRIVEDOCS.2.3v0.2"
@@ -854,7 +863,8 @@ test_SharedDrive_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: People who aren't shared drive members can be added to files</li></ul>"])
 }
 
 test_SharedDrive_Incorrect_V5 if {
@@ -905,7 +915,7 @@ test_Viewers_Correct_V1 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -920,7 +930,7 @@ test_Viewers_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Viewers_Correct_V2 if {
@@ -933,7 +943,7 @@ test_Viewers_Correct_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -943,7 +953,7 @@ test_Viewers_Correct_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -958,7 +968,7 @@ test_Viewers_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Viewers_Correct_V3 if {
@@ -971,7 +981,7 @@ test_Viewers_Correct_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -981,7 +991,7 @@ test_Viewers_Correct_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
                     ]
                 }]
@@ -996,7 +1006,7 @@ test_Viewers_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Viewers_Incorrect_V1 if {
@@ -1041,7 +1051,7 @@ test_Viewers_Incorrect_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1056,7 +1066,8 @@ test_Viewers_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
 }
 
 test_Viewers_Incorrect_V3 if {
@@ -1069,7 +1080,7 @@ test_Viewers_Incorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1079,7 +1090,7 @@ test_Viewers_Incorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1094,7 +1105,9 @@ test_Viewers_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
 }
 
 test_Viewers_Incorrect_V4 if {
@@ -1107,7 +1120,7 @@ test_Viewers_Incorrect_V4 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1117,7 +1130,7 @@ test_Viewers_Incorrect_V4 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "Shared Drive Creation new_team_drive_restricts_download"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
                     ]
                 }]
@@ -1132,7 +1145,9 @@ test_Viewers_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "Viewers and commenters are allowed to download, print, and copy files</li></ul>"])
 }
 
 test_Viewers_Incorrect_V5 if {
diff --git a/Testing/RegoTests/drive/drive03_test.rego b/Testing/RegoTests/drive/drive03_test.rego
index 31a63818..824caefe 100644
--- a/Testing/RegoTests/drive/drive03_test.rego
+++ b/Testing/RegoTests/drive/drive03_test.rego
@@ -42,7 +42,7 @@ test_Sharing_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V2 if {
@@ -96,7 +96,7 @@ test_Sharing_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V3 if {
@@ -160,7 +160,7 @@ test_Sharing_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Incorrect_V1 if {
@@ -234,7 +234,9 @@ test_Sharing_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
 }
 
 test_Sharing_Incorrect_V3 if {
@@ -288,7 +290,9 @@ test_Sharing_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: ",
+    "Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
 }
 
 test_Sharing_Incorrect_V4 if {
@@ -352,7 +356,9 @@ test_Sharing_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: ",
+    "Users are allowed to remove/apply the security update for files they own or manage</li></ul>"])
 }
 
 test_Sharing_Incorrect_V5 if {
diff --git a/Testing/RegoTests/drive/drive04_test.rego b/Testing/RegoTests/drive/drive04_test.rego
index 287785d6..ef8c5656 100644
--- a/Testing/RegoTests/drive/drive04_test.rego
+++ b/Testing/RegoTests/drive/drive04_test.rego
@@ -29,7 +29,7 @@ test_Security_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Security_Correct_V2 if {
@@ -67,7 +67,7 @@ test_Security_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Security_Correct_V3 if {
@@ -105,7 +105,7 @@ test_Security_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Security_Incorrect_V1 if {
@@ -165,7 +165,8 @@ test_Security_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Drive SDK is enabled</li></ul>"])
 }
 
 test_Security_Incorrect_V3 if {
@@ -203,7 +204,8 @@ test_Security_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Drive SDK is enabled</li></ul>"])
 }
 
 test_Security_Incorrect_V4 if {
@@ -241,7 +243,8 @@ test_Security_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Drive SDK is enabled</li></ul>"])
 }
 
 test_Security_Incorrect_V5 if {
diff --git a/Testing/RegoTests/drive/drive05_test.rego b/Testing/RegoTests/drive/drive05_test.rego
index c0b70a80..2e13be1c 100644
--- a/Testing/RegoTests/drive/drive05_test.rego
+++ b/Testing/RegoTests/drive/drive05_test.rego
@@ -29,7 +29,7 @@ test_Sharing_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V2 if {
@@ -67,7 +67,7 @@ test_Sharing_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Correct_V3 if {
@@ -105,7 +105,7 @@ test_Sharing_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_Sharing_Incorrect_V1 if {
@@ -165,7 +165,8 @@ test_Sharing_Incorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users can install Google Docs add-ons from add-ons store.</li></ul>"])
 }
 
 test_Sharing_Incorrect_V3 if {
@@ -203,7 +204,8 @@ test_Sharing_Incorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Users can install Google Docs add-ons from add-ons store.</li></ul>"])
 }
 
 test_Sharing_Incorrect_V4 if {
@@ -241,7 +243,8 @@ test_Sharing_Incorrect_V4 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Secondary OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Secondary OU: Users can install Google Docs add-ons from add-ons store.</li></ul>"])
 }
 
 test_Sharing_Incorrect_V5 if {
diff --git a/Testing/RegoTests/drive/drive06_test.rego b/Testing/RegoTests/drive/drive06_test.rego
index a601e1af..973db6d3 100644
--- a/Testing/RegoTests/drive/drive06_test.rego
+++ b/Testing/RegoTests/drive/drive06_test.rego
@@ -59,7 +59,7 @@ test_DriveFs_Setting_Correct_V1 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_DriveFs_Setting_Correct_V2 if {
@@ -107,7 +107,7 @@ test_DriveFs_Setting_Correct_V2 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_DriveFs_Setting_Correct_V3 if {
@@ -175,7 +175,7 @@ test_DriveFs_Setting_Correct_V3 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_DriveFs_Setting_Correct_V4 if {
@@ -213,7 +213,7 @@ test_DriveFs_Setting_Correct_V4 if {
     count(RuleOutput) == 1
     RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement met in all OUs."
+    RuleOutput[0].ReportDetails == "Requirement met in all OUs and groups."
 }
 
 test_DriveFs_Setting_InCorrect_V1 if {
@@ -226,7 +226,7 @@ test_DriveFs_Setting_InCorrect_V1 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -236,7 +236,7 @@ test_DriveFs_Setting_InCorrect_V1 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -251,7 +251,8 @@ test_DriveFs_Setting_InCorrect_V1 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
 }
 
 test_DriveFs_Setting_InCorrect_V2 if {
@@ -264,7 +265,7 @@ test_DriveFs_Setting_InCorrect_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -274,7 +275,7 @@ test_DriveFs_Setting_InCorrect_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -284,7 +285,7 @@ test_DriveFs_Setting_InCorrect_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Secondary-Level OU"},
                     ]
                 }]
@@ -309,7 +310,8 @@ test_DriveFs_Setting_InCorrect_V2 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
 }
 
 test_DriveFs_Setting_InCorrect_V3 if {
@@ -322,7 +324,7 @@ test_DriveFs_Setting_InCorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -332,13 +334,13 @@ test_DriveFs_Setting_InCorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"},
-                        {"name": "NEW_VALUE", "value": "false"},
+                        {"name": "NEW_VALUE", "value": "true"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
             },
             {
-                "id": {"time": "2022-22-20T00:02:24.672Z"},
+                "id": {"time": "2022-05-20T00:02:24.672Z"},
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto company_owned_only_enabled"},
@@ -348,11 +350,11 @@ test_DriveFs_Setting_InCorrect_V3 if {
                 }]
             },
             {
-                "id": {"time": "2022-21-20T00:02:25.672Z"},
+                "id": {"time": "2022-05-20T00:02:25.672Z"},
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "DriveFsSettingsProto drive_fs_enabled"},
-                        {"name": "NEW_VALUE", "value": "true"},
+                        {"name": "NEW_VALUE", "value": "false"},
                         {"name": "ORG_UNIT_NAME", "value": "Secondary-Level OU"},
                     ]
                 }]
@@ -387,5 +389,6 @@ test_DriveFs_Setting_InCorrect_V3 if {
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
-    RuleOutput[0].ReportDetails == "Requirement failed in Test Top-Level OU."
+    RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
 }
\ No newline at end of file
diff --git a/rego/Drive.rego b/rego/Drive.rego
index 421669aa..0c3e7b8c 100644
--- a/rego/Drive.rego
+++ b/rego/Drive.rego
@@ -12,13 +12,42 @@ LogEvents := utils.GetEvents("drive_logs")
 #
 # Baseline GWS.DRIVEDOCS.1.1v0.2
 #--
-NonCompliantOUs1_1 contains OU if {
+
+GetFriendlyValue1_1(Value) := concat("",
+    ["Files owned by users or shared drives ",
+    "can be shared with Google accounts in ",
+    "compatible allowlisted domains"]) if {
+    startswith(Value, "TRUSTED_DOMAINS")
+}
+else := concat("", ["Files owned by users or shared drives can ",
+    "be shared outside of the organization"]) if {
+    startswith(Value, "SHARING_ALLOWED")
+} else := Value
+
+NonCompliantOUs1_1 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue1_1(LastEvent.NewValue)
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT",
-     "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"}
+    "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"}
+    not LastEvent.NewValue in AcceptableValues
+}
+
+
+NonCompliantGroups1_1 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue1_1(LastEvent.NewValue)
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    AcceptableValues := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT",
+    "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"}
     not LastEvent.NewValue in AcceptableValues
 }
 
@@ -32,37 +61,64 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.1v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_1),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_1, NonCompliantGroups1_1),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_1, "NonCompliantGroups": NonCompliantGroups1_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
     Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_1) == 0
+    Conditions := {count(NonCompliantOUs1_1) == 0, count(NonCompliantGroups1_1) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
-# Can be combined with 1.1, since this is a single setting with the same value that will pass for both conditions
 #
 # Baseline GWS.DRIVEDOCS.1.2v0.2
 #--
-NonCompliantOUs1_2 contains OU if {
+
+
+GetFriendlyValue1_2(Value) := "Users cannot recieve files outside the domain" if {
+    contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", Value) == true
+}
+else := "Users can recieve files outside the domain"
+
+NonCompliantOUs1_2 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue1_2(LastEvent.NewValue)
+    }
+    if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
-    contains("SHARING_NOT_ALLOWED INHERIT_FROM_PARENT", LastEvent.NewValue) == false
+    AcceptableValues = {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", 
+        "TRUSTED_DOMAINS_ALLOWED", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING"}
+    not LastEvent.NewValue in AcceptableValues
 }
 
+NonCompliantGroups1_2 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue1_2(LastEvent.NewValue)
+    }
+    if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    AcceptableValues = {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT", 
+        "TRUSTED_DOMAINS_ALLOWED", "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING"}
+    not LastEvent.NewValue in AcceptableValues
+    }
+
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.2v0.2",
     "Criticality": "Should",
@@ -73,36 +129,64 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.2v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_2),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_2, NonCompliantGroups1_2),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_2,
+        "NonCompliantGroups": NonCompliantGroups1_2},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_2) == 0
+    Conditions := {count(NonCompliantOUs1_2) == 0, count(NonCompliantGroups1_2) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
-# Can be combined with 1.4 since a single policy can be used to check both conditions
 #
 # Baseline GWS.DRIVEDOCS.1.3v0.2
 #--
-NonCompliantOUs1_3 contains OU if {
+
+GetFriendlyValue1_3(Value, AcceptableValues) := "External Sharing Warning is Enabled" if {
+    Value in AcceptableValues == true
+}
+else := "External Sharing Warning is Disabled"
+
+
+NonCompliantOUs1_3 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED",
+    "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES",
+    "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING", 
+    "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE"}
+    not LastEvent.NewValue in AcceptableValues
+}
+
+NonCompliantGroups1_3 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue1_3(LastEvent.NewValue, AcceptableValues)
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     AcceptableValues := {"SHARING_ALLOWED_WITH_WARNING", "SHARING_NOT_ALLOWED",
-     "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES"}
+    "INHERIT_FROM_PARENT", "SHARING_NOT_ALLOWED_BUT_MAY_RECEIVE_FILES",
+    "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING", 
+    "TRUSTED_DOMAINS_ALLOWED_WITH_WARNING_MAY_RECEIVE_FILES_FROM_ANYONE"}
     not LastEvent.NewValue in AcceptableValues
 }
 
@@ -116,23 +200,26 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.3v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_3),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_3, NonCompliantGroups1_3),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_3,
+        "NonCompliantGroups": NonCompliantGroups1_3},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_3) == 0
+    Conditions := {count(NonCompliantOUs1_3) == 0, count(NonCompliantGroups1_3) == 0 }
+    Status := (false in Conditions) == false
 }
+
 #--
 
 #
@@ -152,13 +239,45 @@ NoSuchEvent1_4(TopLevelOU) := true if {
 
 default NoSuchEvent1_4(_) := false
 
-NonCompliantOUs1_4 contains OU if {
+GetFriendlyValue1_4(Value_A, Value_B, AcceptableValues_A, AcceptableValues_B) :=
+"External Sharing is Disabled" if {
+    Value_B in AcceptableValues_B
+} else := concat("", ["External sharing is enabled ",
+    "but sharing items to non-google accounts is disabled"]) if {
+    Value_A in AcceptableValues_A
+} else := "External sharing is enabled and items can be shared to non-google accounts"
+
+NonCompliantOUs1_4 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue1_4(LastEvent_A.NewValue,
+        LastEvent_B.NewValue, AcceptableValues_A, AcceptableValues_B)
+    } if {
     some OU in utils.OUsWithEvents
-    Events_A := utils.FilterEvents(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU)
+    Events_A := utils.FilterEventsOU(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", OU)
     count(Events_A) > 0
     LastEvent_A := utils.GetLastEvent(Events_A)
 
-    Events_B := utils.FilterEvents(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    Events_B := utils.FilterEventsOU(LogEvents, "SHARING_OUTSIDE_DOMAIN", OU)
+    count(Events_B) > 0
+    LastEvent_B := utils.GetLastEvent(Events_B)
+
+    AcceptableValues_A := {"NOT_ALLOWED", "INHERIT_FROM_PARENT"}
+    not LastEvent_A.NewValue in AcceptableValues_A
+    AcceptableValues_B := {"SHARING_NOT_ALLOWED", "INHERIT_FROM_PARENT"}
+    not LastEvent_B.NewValue in AcceptableValues_B
+}
+
+NonCompliantGroups1_4 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue1_4(LastEvent_A.NewValue, LastEvent_B.NewValue,
+        AcceptableValues_A, AcceptableValues_B)
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events_A := utils.FilterEventsGroup(LogEvents, "SHARING_INVITES_TO_NON_GOOGLE_ACCOUNTS", Group)
+    count(Events_A) > 0
+    LastEvent_A := utils.GetLastEvent(Events_A)
+
+    Events_B := utils.FilterEventsGroup(LogEvents, "SHARING_OUTSIDE_DOMAIN", Group)
     count(Events_B) > 0
     LastEvent_B := utils.GetLastEvent(Events_B)
 
@@ -184,28 +303,47 @@ if {
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.4v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_4),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_4, NonCompliantGroups1_4),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_4,
+        "NonCompliantGroups": NonCompliantGroups1_4},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
     not NoSuchEvent1_4(utils.TopLevelOU)
-    Status := count(NonCompliantOUs1_4) == 0
+    Conditions := {count(NonCompliantOUs1_4) == 0, count(NonCompliantGroups1_4) == 0 }
+    Status := (false in Conditions) == false
 }
+
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.1.5v0.2
 #--
-NonCompliantOUs1_5 contains OU if {
+
+NonCompliantOUs1_5 contains {
+    "Name": OU,
+    "Value": "Published web content can be made visible to anyone with a link"
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", OU)
+    Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", OU)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     contains("ALLOWED", LastEvent.NewValue) == true
 }
 
+NonCompliantGroups1_5 contains {
+    "Name": Group,
+    "Value": "Published web content can be made visible to anyone with a link"
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "PUBLISHING_TO_WEB", Group)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("ALLOWED", LastEvent.NewValue) == true
+}
+
+
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.5v0.2",
     "Criticality": "Shall",
@@ -216,34 +354,54 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.5v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_5),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_5, NonCompliantGroups1_5),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_5,
+        "NonCompliantGroups": NonCompliantGroups1_5},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "PUBLISHING_TO_WEB", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_5) == 0
+    Conditions := {count(NonCompliantOUs1_5) == 0, count(NonCompliantGroups1_5) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.1.6v0.2
 #--
-NonCompliantOUs1_6 contains OU if {
+NonCompliantOUs1_6 contains {
+    "Name":OU,
+    "Value": concat("", ["Access Checker allows users to share ",
+    "files to the public (no Google account required)"])
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT",
+        LastEvent.NewValue) == false
+}
+
+NonCompliantGroups1_6 contains {
+    "Name":Group,
+    "Value": concat("", ["Access Checker allows users to share ",
+    "files to the public (no Google account required)"])
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
-    contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT", LastEvent.NewValue) == false
+    contains("NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES INHERIT_FROM_PARENT",
+        LastEvent.NewValue) == false
 }
 
 tests contains {
@@ -256,31 +414,56 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS",utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS",utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.6v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_6),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_6, NonCompliantGroups1_6),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_6,
+        "NonCompliantGroups": NonCompliantGroups1_6},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_ACCESS_CHECKER_OPTIONS", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_6) == 0
+    Conditions := {count(NonCompliantOUs1_6) == 0, count(NonCompliantGroups1_6) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.1.7v0.2
 #--
-NonCompliantOUs1_7 contains OU if {
+GetFriendlyValue1_7(Value):= "Setting is compliant." if {
+    Value == "CROSS_DOMAIN_MOVES_BLOCKED"
+} else := "Only users inside the organization can distribute content outside of the organization" if {
+    Value == "CROSS_DOMAIN_FROM_INTERNAL_ONLY"
+} else := "Anyone can distribute content in the organization to outside the organization" if {
+    Value == "CROSS_DOMAIN_FROM_INTERNAL_OR_EXTERNAL"
+} else := Value
+
+NonCompliantOUs1_7 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue1_7(LastEvent.NewValue)
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    SettingValue := "CROSS_DOMAIN_MOVES_BLOCKED INHERIT_FROM_PARENT"
+    contains(SettingValue, LastEvent.NewValue) == false
+}
+
+NonCompliantGroups1_7 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue1_7(LastEvent.NewValue)
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     SettingValue := "CROSS_DOMAIN_MOVES_BLOCKED INHERIT_FROM_PARENT"
@@ -297,31 +480,60 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.7v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_7),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs1_7},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_7, NonCompliantGroups1_7),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_7, "NonCompliantGroups": NonCompliantGroups1_7},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_7) == 0
+    Conditions := {count(NonCompliantOUs1_7) == 0, count(NonCompliantGroups1_7) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.1.8v0.2
 #--
-NonCompliantOUs1_8 contains OU if {
+
+GetFriendlyValue1_8(Value):= "private to the owner." if {
+    Value == "PRIVATE"
+} else := "The primary target audience can access the item if they have the link" if {
+    Value == "PEOPLE_WITH_LINK"
+} else := "The primary target audience can search and find the item." if {
+    Value == "PUBLIC"
+} else := Value
+
+
+NonCompliantOUs1_8 contains {
+    "Name": OU,
+    "Value": concat("", ["When users create items, the default access is set to: ",
+        GetFriendlyValue1_8(LastEvent.NewValue)])
+} if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", OU)
+    Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    LastEvent.NewValue != "PRIVATE"
+    LastEvent.NewValue != "INHERIT_FROM_PARENT"
+}
+
+
+NonCompliantGroups1_8 contains {
+    "Name": Group,
+    "Value": concat("", ["When users create items, the default access is set to: ",
+        GetFriendlyValue1_8(LastEvent.NewValue)])
+} if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     LastEvent.NewValue != "PRIVATE"
@@ -338,22 +550,23 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS",utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.1.8v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs1_8),
-    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_8},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs1_8, NonCompliantGroups1_8),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs1_8, "NonCompliantGroups": NonCompliantGroups1_8},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "DEFAULT_LINK_SHARING_FOR_NEW_DOCS", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs1_8) == 0
+    Conditions := {count(NonCompliantOUs1_8) == 0, count(NonCompliantGroups1_8) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
@@ -364,9 +577,24 @@ if {
 #
 # Baseline GWS.DRIVEDOCS.2.1v0.2
 #--
-NonCompliantOUs2_1 contains OU if {
+NonCompliantOUs2_1 contains {
+    "Name": OU,
+    "Value": "Members with manager access can override shared drive settings."
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU)
+    Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("true", LastEvent.NewValue) == false
+    LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
+}
+
+NonCompliantGroups2_1 contains {
+    "Name": Group,
+    "Value": "Members with manager access can override shared drive settings."
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "Shared Drive Creation new_team_drive_admin_only", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     contains("true", LastEvent.NewValue) == false
@@ -383,31 +611,49 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.2.1v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_1),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs2_1, NonCompliantGroups2_1),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_1, "NonCompliantGroups": NonCompliantGroups2_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "Shared Drive Creation new_team_drive_admin_only", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs2_1) == 0
+    Conditions := {count(NonCompliantOUs2_1) == 0, count(NonCompliantGroups2_1) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.2.2v0.2
 #--
-NonCompliantOUs2_2 contains OU if {
+NonCompliantOUs2_2 contains {
+    "Name": OU,
+    "Value": "Users outside the organization can access files in shared drives"
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_cross_domain_access", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("true", LastEvent.NewValue) == false
+    LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
+}
+
+NonCompliantGroups2_2 contains {
+    "Name": Group,
+    "Value": "Users outside the organization can access files in shared drives"
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_cross_domain_access", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     contains("true", LastEvent.NewValue) == false
@@ -425,38 +671,56 @@ tests contains {
 if {
     DefaultSafe := false
     SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access"
-    Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.2.2v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_2),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_2},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs2_2, NonCompliantGroups2_2),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_2, "NonCompliantGroups": NonCompliantGroups2_2},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
     SettingName := "Shared Drive Creation new_team_drive_restricts_cross_domain_access"
-    Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs2_2) == 0
+    Conditions := {count(NonCompliantOUs2_2) == 0, count(NonCompliantGroups2_2) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.2.3v0.2
 #--
-NonCompliantOUs2_3 contains OU if {
+NonCompliantOUs2_3 contains {
+    "Name": OU,
+    "Value": "People who aren't shared drive members can be added to files"
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_direct_access", OU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_direct_access", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("true", LastEvent.NewValue) == false
+    LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
+}
+NonCompliantGroups2_3 contains {
+    "Name": Group,
+    "Value": "People who aren't shared drive members can be added to files"
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_direct_access", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     contains("true", LastEvent.NewValue) == false
     LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
 }
 
+
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.2.3v0.2",
     "Criticality": "Shall",
@@ -468,35 +732,54 @@ tests contains {
 if {
     DefaultSafe := false
     SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access"
-    Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.2.3v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_3),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_3},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs2_3, NonCompliantGroups2_3),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_3,
+        "NonCompliantGroups": NonCompliantGroups2_3},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
     SettingName := "Shared Drive Creation new_team_drive_restricts_direct_access"
-    Events := utils.FilterEvents(LogEvents, SettingName, utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, SettingName, utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs2_3) == 0
+     Conditions := {count(NonCompliantOUs2_3) == 0, count(NonCompliantGroups2_3) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
 #
 # Baseline GWS.DRIVEDOCS.2.4v0.2
 #--
-NonCompliantOUs2_4 contains OU if {
+NonCompliantOUs2_4 contains {
+    "Name": OU,
+    "Value": "Viewers and commenters are allowed to download, print, and copy files"
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", OU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_download", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    contains("false", LastEvent.NewValue) == true
+    LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
+}
+
+NonCompliantGroups2_4 contains {
+    "Name": Group,
+    "Value": "Viewers and commenters are allowed to download, print, and copy files"
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_download", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
-    contains("false", LastEvent.NewValue) == false
+    contains("false", LastEvent.NewValue) == true
     LastEvent.NewValue != "DELETE_APPLICATION_SETTING"
 }
 
@@ -510,22 +793,26 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU)
     count(Events) == 0
 }
 
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.2.4v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs2_4),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs2_4},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs2_4, NonCompliantGroups2_4),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs2_4,
+        "NonCompliantGroups": NonCompliantGroups2_4},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Shared Drive Creation new_team_drive_restricts_download", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs2_4) == 0
+    Conditions := {count(NonCompliantOUs2_4) == 0, count(NonCompliantGroups2_4) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
@@ -540,25 +827,38 @@ if {
 NoSuchEvent3_1(TopLevelOU) := true if {
     # No such event...
     SettingName := "Link Security Update Settings allow_less_secure_link_user_restore"
-    Events_A := utils.FilterEvents(LogEvents, SettingName, TopLevelOU)
+    Events_A := utils.FilterEventsOU(LogEvents, SettingName, TopLevelOU)
     count(Events_A) == 0
 }
 
 NoSuchEvent3_1(TopLevelOU) := true if {
     # No such event...
-    Events := utils.FilterEvents(LogEvents, "Link Security Update Settings less_secure_link_option", TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "Link Security Update Settings less_secure_link_option", TopLevelOU)
     count(Events) == 0
 }
 
 default NoSuchEvent3_1(_) := false
 
-NonCompliantOUs3_1 contains OU if {
+GetFriendlyValue3_1(Value_B, Value_A) :=
+"The security update is removed from all impacted files" if {
+    Value_B == "REQUIRE_LESS_SECURE_LINKS"
+}
+else := "Users are allowed to remove/apply the security update for files they own or manage" if {
+    Value_A == "true"
+}
+NonCompliantOUs3_1 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue3_1(LastEvent_B.NewValue, LastEvent_A.NewValue)
+    } if {
     some OU in utils.OUsWithEvents
-    Events_A := utils.FilterEvents(LogEvents, "Link Security Update Settings allow_less_secure_link_user_restore", OU)
+    Events_A := utils.FilterEventsOU(LogEvents,
+        "Link Security Update Settings allow_less_secure_link_user_restore", OU)
     count(Events_A) > 0
     LastEvent_A := utils.GetLastEvent(Events_A)
 
-    Events_B := utils.FilterEvents(LogEvents, "Link Security Update Settings less_secure_link_option", OU)
+    Events_B := utils.FilterEventsOU(LogEvents,
+        "Link Security Update Settings less_secure_link_option", OU)
     count(Events_B) > 0
     LastEvent_B := utils.GetLastEvent(Events_B)
 
@@ -584,8 +884,8 @@ if {
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.3.1v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs3_1),
-    "ActualValue" : {"NonComplaintOUs": NonCompliantOUs3_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs3_1, []),
+    "ActualValue" : {"NonCompliantOUs": NonCompliantOUs3_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
@@ -602,15 +902,29 @@ if {
 #
 # Baseline GWS.DRIVEDOCS.4.1v0.2
 #--
-NonCompliantOUs4_1 contains OU if {
+NonCompliantOUs4_1 contains {
+    "Name": OU,
+    "Value": "Drive SDK is enabled"
+}
+if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", OU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", OU)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    LastEvent.NewValue != "false"
+    LastEvent.NewValue != "INHERIT_FROM_PARENT"
+}
+NonCompliantGroups4_1 contains {
+    "Name": Group,
+    "Value": "Drive SDK is enabled"
+} if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "ENABLE_DRIVE_APPS", Group)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     LastEvent.NewValue != "false"
     LastEvent.NewValue != "INHERIT_FROM_PARENT"
 }
-
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.4.1v0.2",
     "Criticality": "Should",
@@ -621,7 +935,7 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU)
     count(Events) == 0
 
 }
@@ -629,16 +943,18 @@ if {
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.4.1v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs4_1),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs4_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs4_1, NonCompliantGroups4_1),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs4_1, "NonCompliantGroups": NonCompliantGroups4_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DRIVE_APPS", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs4_1) == 0
+    Conditions := {count(NonCompliantOUs4_1) == 0, count(NonCompliantGroups4_1) == 0}
+    Status := (false in Conditions) == false
 }
+
 #--
 
 
@@ -649,15 +965,29 @@ if {
 #
 # Baseline GWS.DRIVEDOCS.5.1v0.2
 #--
-NonCompliantOUs5_1 contains OU if {
+NonCompliantOUs5_1 contains {
+    "Name": OU,
+    "Value": "Users can install Google Docs add-ons from add-ons store."
+    } if {
     some OU in utils.OUsWithEvents
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", OU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", OU)
     count(Events) > 0
     LastEvent := utils.GetLastEvent(Events)
     LastEvent.NewValue != "false"
     LastEvent.NewValue != "INHERIT_FROM_PARENT"
 }
 
+NonCompliantGroups5_1 contains {
+    "Name": Group,
+    "Value": "Users can install Google Docs add-ons from add-ons store."
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events := utils.FilterEventsGroup(LogEvents, "ENABLE_DOCS_ADD_ONS", Group)
+    count(Events) > 0
+    LastEvent := utils.GetLastEvent(Events)
+    LastEvent.NewValue != "false"
+    LastEvent.NewValue != "INHERIT_FROM_PARENT"
+}
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.5.1v0.2",
     "Criticality": "Shall",
@@ -668,7 +998,7 @@ tests contains {
 }
 if {
     DefaultSafe := false
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU)
     count(Events) == 0
 
 }
@@ -676,15 +1006,17 @@ if {
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.5.1v0.2",
     "Criticality": "Shall",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs5_1),
-    "ActualValue": {"NonComplaintOUs": NonCompliantOUs5_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs5_1, NonCompliantGroups5_1),
+    "ActualValue": {"NonCompliantOUs": NonCompliantOUs5_1,
+        "NonCompliantGroups": NonCompliantGroups5_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
-    Events := utils.FilterEvents(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents, "ENABLE_DOCS_ADD_ONS", utils.TopLevelOU)
     count(Events) > 0
-    Status := count(NonCompliantOUs5_1) == 0
+    Conditions := {count(NonCompliantOUs5_1) == 0, count(NonCompliantGroups5_1) == 0 }
+    Status := (false in Conditions) == false
 }
 #--
 
@@ -697,33 +1029,73 @@ if {
 #--
 default NoSuchEvent6_1(_) := true
 
+GetFriendlyValue6_1(Value_B, Value_A) :=
+"Drive for Desktop is enabled, but can be used on any device." if {
+    Value_B == "false"
+}
+else := "Drive for Desktop is disabled" if {
+    Value_A == "false"
+}
+else := "Drive for Desktop is enabled, and only on approved devices." if {
+    Value_A == "true"
+}
 NoSuchEvent6_1(TopLevelOU) := false if {
-    Events := utils.FilterEvents(LogEvents, "DriveFsSettingsProto drive_fs_enabled", TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "DriveFsSettingsProto drive_fs_enabled", TopLevelOU)
     count(Events) != 0
 }
 
 NoSuchEvent6_1(TopLevelOU) := false if {
     # No such event...
-    Events := utils.FilterEvents(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU)
+    Events := utils.FilterEventsOU(LogEvents,
+        "DriveFsSettingsProto company_owned_only_enabled", TopLevelOU)
     count(Events) != 0
 }
 
-NonCompliantOUs6_1 contains OU if {
+NonCompliantOUs6_1 contains {
+    "Name": OU,
+    "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)
+    } if {
     some OU in utils.OUsWithEvents
-    Events_A := utils.FilterEvents(LogEvents, "DriveFsSettingsProto drive_fs_enabled", OU)
+    Events_A := utils.FilterEventsOU(LogEvents,
+        "DriveFsSettingsProto drive_fs_enabled", OU)
     count(Events_A) > 0
     LastEvent_A := utils.GetLastEvent(Events_A)
     LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING"
 
-    Events_B := utils.FilterEvents(LogEvents, "DriveFsSettingsProto company_owned_only_enabled", OU)
+    Events_B := utils.FilterEventsOU(LogEvents,
+        "DriveFsSettingsProto company_owned_only_enabled", OU)
     count(Events_B) > 0
     LastEvent_B := utils.GetLastEvent(Events_B)
     LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING"
 
-    true in {
-        LastEvent_A.NewValue != "true",
-        LastEvent_B.NewValue != "true"
-    }
+
+    LastEvent_A.NewValue == "true"
+    LastEvent_B.NewValue != "true"
+
+}
+
+NonCompliantGroups6_1 contains {
+    "Name": Group,
+    "Value": GetFriendlyValue6_1(LastEvent_B.NewValue, LastEvent_A.NewValue)
+    } if {
+    some Group in utils.GroupsWithEvents
+    Events_A := utils.FilterEventsGroup(LogEvents,
+        "DriveFsSettingsProto drive_fs_enabled", Group)
+    count(Events_A) > 0
+    LastEvent_A := utils.GetLastEvent(Events_A)
+    LastEvent_A.NewValue != "DELETE_APPLICATION_SETTING"
+
+    Events_B := utils.FilterEventsGroup(LogEvents,
+        "DriveFsSettingsProto company_owned_only_enabled", Group)
+    count(Events_B) > 0
+    LastEvent_B := utils.GetLastEvent(Events_B)
+    LastEvent_B.NewValue != "DELETE_APPLICATION_SETTING"
+ 
+    LastEvent_A.NewValue == "true"
+    LastEvent_B.NewValue != "true"
+
+
 }
 
 tests contains {
@@ -742,14 +1114,15 @@ if {
 tests contains {
     "PolicyId": "GWS.DRIVEDOCS.6.1v0.2",
     "Criticality": "Should",
-    "ReportDetails": utils.ReportDetailsOUs(NonCompliantOUs6_1),
-    "ActualValue" : {"NonComplaintOUs": NonCompliantOUs6_1},
+    "ReportDetails": utils.ReportDetails(NonCompliantOUs6_1, NonCompliantGroups6_1),
+    "ActualValue" : {"NonCompliantOUs": NonCompliantOUs6_1, "NonCompliantGroups": NonCompliantGroups6_1},
     "RequirementMet": Status,
     "NoSuchEvent": false
 }
 if {
     not NoSuchEvent6_1(utils.TopLevelOU)
-    Status := count(NonCompliantOUs6_1) == 0
+    Conditions := {count(NonCompliantOUs6_1) == 0, count(NonCompliantGroups6_1) == 0}
+    Status := (false in Conditions) == false
 }
 #--
 
diff --git a/scubagoggles/provider.py b/scubagoggles/provider.py
index 270bc4a0..79f4597e 100644
--- a/scubagoggles/provider.py
+++ b/scubagoggles/provider.py
@@ -42,6 +42,7 @@
         'CHANGE_DATA_LOCALIZATION_FOR_RUSSIA'
     ],
     'drive': [
+        'CREATE_APPLICATION_SETTING',
         'CHANGE_APPLICATION_SETTING',
         'CHANGE_DOCS_SETTING',
         'DELETE_APPLICATION_SETTING'