By: Owen Dubiel
July 14, 2021
Gsuite Logging Details
By: Owen Dubiel
July 14, 2021
Gsuite is widely used as both a professional and personal online computing source. Google is considered one of the biggest three competitors in the race for cloud domination. Google Cloud offers a wide range of tools, resources, and applications to help make day-to-day work life as stress-free and productive as possible. From a security standpoint, you must have proper visibility and control over your Google Workspace instance to ensure no nefarious activity occurs within your cloud environment. This article will cover the basics around the built-in visibility that comes native with Google Workspace logging. Whether you are an Administrator trying to troubleshoot an access issue or a security analyst that needs to incorporate better visibility into your Security Information and Event Management (SIEM) solution, Google Workspace has got you covered.
Within the admin logs provided by Google, you will see any administrative actions taken within the instance. The following are some examples of events that can be observed when ingesting these type of events:
- Change Password
- Change User Organization
- Email Log Search
- Remove Group Member
- Action Requested
- Change User Relation
- Create User
- Add Group Member
- Remove Group Member
- Toggle Content Sharing
- Move User to Organization Unit
- Customer User Device Deletion Event
- Create Data Transfer Request
- Suspend User
The above events are only a handful of the possibilities. A Majority of the actions will fall under the type field of "Group Settings" or "User Settings," Making it easy to filter specific events that may be actionable.
The logging contained within audit groups includes both administrative and moderator level actions taken within Google Workspace groups. Examples include when a moderator "adds" or "removes" a user from a group. The information contained in these logs consists of both parties' email addresses and supporting details like timestamp, domain, and a unique ETag ID.
From a security perspective, this can help detect trends of someone potentially attempting to move laterally and escalate privileges in different accounts as they go. A great way to see this is to ensure a proper change control procedure for these actions; anything outside of this procedure should be investigated.
As it might be assumed, Google Workspace provides different information within its login logs, including success, failures, challenges, logouts, and verifications. Ingesting these logs into a SIEM solution will provide enrichment when correlating timelines around tracking down lateral movements or possible password spray attacks.
Mobile logging provides a plethora of data around device activity for Google registered machines. For example, any device registered under the Google MDM for your domain will offer the following bits of information.
- Device ID
- Serial Number
- Device Type
- Resource ID
- Device Model
- User Email
- Device Sync Event
- OS Version
- Last Sync Date
- Device Updates
Mobile Google Workspace logging provides administrators with the ability to troubleshoot or manage device inventory. From a security perspective, having a solid asset inventory is essential in ensuring only authorized devices are being used for enterprise solutions.
This is where security benefits from Google Workspace logging, the audit rules provide an in-depth look into the Data Loss Prevention (DLP) rules that Google Workspace has in place for Gmail. There is a ton of data surrounding each event, but the most important is to tie together the email in question to the DLP predefined rule being enforced. Searching on these two metrics together will give an accurate baseline of what is actively being blocked by Google Workspace and what requires additional rules to cover.
The token logs show the different automated authentications that happen within Google Workspace for users. For example, If a user is logged in already to Google Workspace and still has an active session when they open Google Drive, they won't be prompted again for re-login. Instead, a token will be used with an expiration, which allows the user to authenticate as many times as they want within that given timeframe.
A great use case for monitoring the token logs would be looking for token abuse. It should be reasonably easy to baseline regular token activity; if an account exceeds what looks normal for a given timeframe, it may require further investigation to ensure that users' credentials haven't been compromised.
The Google Drive logs provide typical logs around activity within a user's Drive account. Everything from file activity, sharing, movement of files, and even permission changes to files/folders are entirely logged. Google Drive provides security teams' complete visibility to establish a File Integrity Monitoring (FIM) stance against all known and unknown threats that could be lurking.
Google Workspace logging is available nativity for viewing or ingestion within any SIEM service. Going to the cloud doesn't mean losing control or visibility over data or assets. For more information on how to best configure and use a SIEM service, check out what Cybrary has to offer to get the most out of a logging solution.