Skip to content

Google Workspace

Overview

Google Reports is a data reporting and analysis platform offered by Google for Google Workspace services, designed to provide insights and metrics about user activities and interactions within various Google services. It allows organizations to track and visualize user engagement, application usage, and other relevant data points, enabling informed decision-making and optimization of digital experiences.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Supported applications

This integration can collect activities from the following GSuite applications:

  • admin to collect activities on the Admin console
  • calendar to collect events from Google calendar
  • chat to collect Chat activities
  • drive to supervise Google Drive events
  • gcp for the Google Cloud platform activiaties
  • groups to collect Google groups events
  • groups_entreprise to collect Entreprise groups events
  • jamboard to collect Jamboard activities
  • login to monitor authentication in Google applications
  • meet to supervise Google meet events
  • token for authentication supervision
  • user_accounts to monitor Users accounts activities
  • keep to supervices Google Keep activities

Limitation

Only activities from one applications can be collected from one playbook. To collect activities from several Google Application, create as many playbooks as applications to collect.

Benefit from SEKOIA.IO built-in rules and upgrade Google Report with the following detection capabilities out-of-the-box.

SEKOIA.IO x Google Report on ATT&CK Navigator

RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
GCP audit logs Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category file
Type access, change, creation, deletion

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}",
    "event": {
        "kind": "event",
        "category": [
            "file"
        ],
        "type": [
            "change"
        ],
        "action": "edit",
        "dataset": "audit#activity"
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "user": {
        "id": "ABC123xyz",
        "email": "kim@example.com"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            },
            "parameters": {
                "visibility": "shared_internally"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "source": {
        "ip": "1.2.3.4",
        "address": "1.2.3.4"
    },
    "file": {
        "gid": "AAAAAALLLLLL",
        "owner": "RH ",
        "type": "folder",
        "name": "Divers"
    },
    "related": {
        "user": [
            "RH "
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}

{
    "message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}",
    "event": {
        "kind": "event",
        "category": [
            "file"
        ],
        "type": [
            "change"
        ],
        "action": "edit",
        "dataset": "audit#activity"
    },
    "@timestamp": "2014-03-17T15:39:18.460000Z",
    "user": {
        "id": "ABC123xyz",
        "email": "kim@example.com"
    },
    "google": {
        "report": {
            "actor": {
                "email": "kim@example.com"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "source": {
        "ip": "1.2.3.4",
        "address": "1.2.3.4"
    },
    "file": {
        "owner": "mary@example.com",
        "type": "document",
        "name": "Meeting notes"
    },
    "related": {
        "user": [
            "mary@example.com"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}

{
    "message": "{\n  \"kind\": \"admin#reports#activity\",\n  \"id\": {\n    \"time\": \"2023-09-04T08:42:51.615Z\",\n    \"uniqueQualifier\": \"-2222222222222222222\",\n    \"applicationName\": \"drive\",\n    \"customerId\": \"111111111\"\n  },\n  \"actor\": {\n    \"email\": \"john.doe@example.org\",\n    \"profileId\": \"444444444444444444444\"\n  },\n  \"ipAddress\": \"1.2.3.4\",\n  \"events\": [\n    {\n      \"type\": \"access\",\n      \"name\": \"view\",\n      \"parameters\": [\n        {\n          \"name\": \"primary_event\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"billable\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_is_shared_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"owner_team_drive_id\",\n          \"value\": \"DDD_111111111111111\"\n        },\n        {\n          \"name\": \"owner\",\n          \"value\": \"J.DOE\"\n        },\n        {\n          \"name\": \"doc_id\",\n          \"value\": \"333333333333333333333333333333333\"\n        },\n        {\n          \"name\": \"doc_type\",\n          \"value\": \"folder\"\n        },\n        {\n          \"name\": \"is_encrypted\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"doc_title\",\n          \"value\": \"MyDocs\"\n        },\n        {\n          \"name\": \"visibility\",\n          \"value\": \"people_within_domain_with_link\"\n        },\n        {\n          \"name\": \"shared_drive_id\",\n          \"value\": \"DDD_222222222222222\"\n        },\n        {\n          \"name\": \"originating_app_id\",\n          \"value\": \"666666666666\"\n        },\n        {\n          \"name\": \"actor_is_collaborator_account\",\n          \"boolValue\": false\n        },\n        {\n          \"name\": \"owner_is_team_drive\",\n          \"boolValue\": true\n        },\n        {\n          \"name\": \"team_drive_id\",\n          \"value\": \"DDD_888888888888888\"\n        }\n      ]\n    }\n  ]\n}\n",
    "event": {
        "kind": "event",
        "category": [
            "file"
        ],
        "type": [
            "access"
        ],
        "action": "view",
        "dataset": "admin#reports#activity"
    },
    "@timestamp": "2023-09-04T08:42:51.615000Z",
    "user": {
        "id": "111111111"
    },
    "google": {
        "report": {
            "actor": {
                "email": "john.doe@example.org"
            },
            "parameters": {
                "visibility": "people_within_domain_with_link"
            }
        }
    },
    "network": {
        "application": "drive"
    },
    "source": {
        "ip": "1.2.3.4",
        "address": "1.2.3.4"
    },
    "file": {
        "gid": "DDD_111111111111111",
        "owner": "J.DOE",
        "type": "folder",
        "name": "MyDocs"
    },
    "related": {
        "user": [
            "J.DOE"
        ],
        "ip": [
            "1.2.3.4"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.dataset keyword Name of the dataset.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.type keyword Event type. The third categorization field in the hierarchy.
file.gid keyword Primary group ID (GID) of the file.
file.name keyword Name of the file including the extension, without the directory.
file.owner keyword File owner's username.
file.type keyword File type (file, dir, or symlink).
google.report.actor.email keyword Drive actor email
google.report.parameters.visibility keyword Visibility of the Drive item associated with the activity
network.application keyword Application level protocol name.
source.ip ip IP address of the source.
user.email keyword User email address.
user.id keyword Unique identifier of the user.

Configure

Prerequisites

  • Google licence Enterprise standard or higher
  • Access to Sekoia.io Intakes and Playbook pages with write permissions
  • Administrator access to the Google Cloud console

Create a dedicated service account

To create a service account you have to :

  • Create a project
  • Turn on the APIs for the service account
  • Set up the OAuth consent screen with the following scopes (see Choose Reports API scopes):
    • https://www.googleapis.com/auth/admin.reports.audit.readonly
    • https://www.googleapis.com/auth/admin.reports.usage.readonly
  • Create the service account

For more details in each steps please read this Documentation

Create and download JSON keys (service account credentials)

To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.

Note

By default, service account keys never expire.

  1. Go to the Service accounts page
  2. Select your cloud project
  3. Click the email address of the service account that you want to create a key for
  4. Click the Keys tab
  5. Click the Add key drop-down menu, then select Create new key
  6. Select JSON as the Key type and click Create

Important

Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.

Find more information on the official google documentation.

Example of JSON key file

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Sekoia.io configuration procedure

Create your intake

  1. Go to the intake page and create a new intake from the Google Report.
  2. Copy the associated Intake key

Pull the logs to collect them on Sekoia.io

Go to the Sekoia.io playbook page, and follow these steps:

  • Click on + PLAYBOOK button to create a new one
  • Select Create a playbook from scratch
  • Give it a name in the field Name
  • Open the left panel, click Google then select the trigger Get user activities

  • Click on Create

  • Create a Module configuration using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish

  • Create a Trigger configuration using:

    • Type the Intake key created on the previous
    • Select the application name what you to fetch events from
    • Type the Admin email

  • Click on the Save button

  • Activate the playbook with the toggle button on the top right corner of the page

Enjoy your events on the Events page

Further readings