Google Workspace
Overview
Google Reports is a data reporting and analysis platform offered by Google for Google Workspace services, designed to provide insights and metrics about user activities and interactions within various Google services. It allows organizations to track and visualize user engagement, application usage, and other relevant data points, enabling informed decision-making and optimization of digital experiences.
Supported applications
This integration can collect activities from the following GSuite applications:
adminto collect activities on the Admin consolecalendarto collect events from Google calendarchatto collect Chat activitiesdriveto supervise Google Drive eventsgcpfor the Google Cloud platform activiatiesgroupsto collect Google groups eventsgroups_entrepriseto collect Entreprise groups eventsjamboardto collect Jamboard activitiesloginto monitor authentication in Google applicationsmeetto supervise Google meet eventstokenfor authentication supervisionuser_accountsto monitor Users accounts activitieskeepto supervices Google Keep activities
Limitation
Only activities from one applications can be collected from one playbook. To collect activities from several Google Application, create as many playbooks as applications to collect.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Google Report. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Google Report on ATT&CK Navigator
Google Workspace Admin Creation
Detects when an admin is created or when his role is changed.
- Effort: master
Google Workspace Admin Deletion
Detects when an admin is deleted or when his role is unassigned.
- Effort: master
Google Workspace Bypass 2FA
Detects when user tries to bypass the 2FA.
- Effort: master
Google Workspace Password Change
Detects when a password is changed. An attacker can perform this action to impact the availability of the account.
- Effort: master
Google Workspace User Creation
Detects when a new user is created.
- Effort: master
Google Workspace User Deletion
Detects when an user is deleted.
- Effort: master
Google Workspace User Suspended
Detects when an user is suspended. An attacker can use this to remove an account used during the intrusion.
- Effort: master
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
GCP audit logs |
Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | authentication, configuration, file, iam, session |
| Type | access, admin, connection |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:50:56.780Z\",\"uniqueQualifier\":\"-68755428425\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"test@test.com\",\"profileId\":\"10125127140\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"ALERT_CENTER\",\"name\":\"ALERT_CENTER_VIEW\",\"parameters\":[{\"name\":\"ALERT_ID\",\"value\":\"445831ce-36e0-44b5-aca6-0d85f7454df7,69f7ac90-44de\"}]}]}",
"event": {
"action": "ALERT_CENTER_VIEW",
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"info"
]
},
"@timestamp": "2024-03-12T14:50:56.780000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "test@test.com"
}
}
},
"network": {
"application": "admin"
},
"related": {
"ip": [
"2222:0:333:1111:7777:5555:6666:ddd"
],
"user": [
"test"
]
},
"source": {
"address": "2222:0:333:1111:7777:5555:6666:ddd",
"ip": "2222:0:333:1111:7777:5555:6666:ddd"
},
"user": {
"domain": "test.com",
"email": "test@test.com",
"id": "10125127140",
"name": "test"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T14:41:33.804Z\",\"uniqueQualifier\":\"-4779949128172\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"email\":\"test@test.com\",\"profileId\":\"10125127141\"},\"ipAddress\":\"2222:000:333:1111:7777:5555:6666:ddd\",\"events\":[{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"true\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"DISABLE_USERS_TO_TRUST_DEVICE\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 week\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"1 day\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"NO_TELEPHONY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]},{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"INHERIT_FROM_PARENT\"},{\"name\":\"NEW_VALUE\",\"value\":\"2019-10-31\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"IT\"}]}]}",
"event": {
"action": [
"ALLOW_STRONG_AUTHENTICATION",
"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS",
"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION",
"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY",
"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION",
"CHANGE_TWO_STEP_VERIFICATION_START_DATE",
"ENFORCE_STRONG_AUTHENTICATION"
],
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2024-03-12T14:41:33.804000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "test@test.com"
}
}
},
"network": {
"application": "admin"
},
"related": {
"ip": [
"2222:0:333:1111:7777:5555:6666:ddd"
],
"user": [
"test"
]
},
"source": {
"address": "2222:0:333:1111:7777:5555:6666:ddd",
"ip": "2222:0:333:1111:7777:5555:6666:ddd"
},
"user": {
"domain": "test.com",
"email": "test@test.com",
"id": "10125127141",
"name": "test"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:25:01.859Z\",\"uniqueQualifier\":\"-119782077599\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z\\\"\",\"actor\":{\"email\":\"joe.done@test.com\",\"profileId\":\"1126768166\"},\"ownerDomain\":\"sekoia.io\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"event_change\",\"name\":\"change_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"6qr2cujo0lkfln\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"calendar_id\",\"value\":\"joe.done@test.com\"},{\"name\":\"event_title\",\"value\":\"title test\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846009000\"},{\"name\":\"end_time\",\"intValue\":\"63846010800\"},{\"name\":\"api_kind\",\"value\":\"caldav\"},{\"name\":\"user_agent\",\"value\":\"macOS/12.5\"}]}]}",
"event": {
"action": "change_event",
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"change"
]
},
"@timestamp": "2024-03-13T10:25:01.859000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
}
}
},
"network": {
"application": "calendar"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"joe.done"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1126768166",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:36:57.929Z\",\"uniqueQualifier\":\"2480088525820\",\"applicationName\":\"calendar\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"email\":\"joe.doe@test.com\",\"profileId\":\"1158856535600\"},\"ownerDomain\":\"test.com\",\"ipAddress\":\"ffff:2222:333:11:aa:2222:111:11\",\"events\":[{\"type\":\"event_change\",\"name\":\"create_event\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"start_time\",\"intValue\":\"63846450000\"},{\"name\":\"end_time\",\"intValue\":\"63846453600\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]},{\"type\":\"event_change\",\"name\":\"add_event_guest\",\"parameters\":[{\"name\":\"event_id\",\"value\":\"fksdqs5mv613b\"},{\"name\":\"organizer_calendar_id\",\"value\":\"joe.doe@test.com\"},{\"name\":\"calendar_id\",\"value\":\"jone.done@test.com\"},{\"name\":\"event_title\",\"value\":\"Test title\"},{\"name\":\"is_recurring\",\"boolValue\":false},{\"name\":\"recurring\",\"value\":\"no\"},{\"name\":\"client_side_encrypted\",\"value\":\"no\"},{\"name\":\"event_guest\",\"value\":\"jone.done@test.com\"},{\"name\":\"user_agent\",\"value\":\"Calendly\"}]}]}",
"event": {
"action": [
"add_event_guest",
"create_event"
],
"category": [
"configuration"
],
"dataset": "admin#reports#activity",
"type": [
"change",
"creation"
]
},
"@timestamp": "2024-03-13T10:36:57.929000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"destination": {
"user": {
"email": "jone.done@test.com"
}
},
"google": {
"report": {
"actor": {
"email": "joe.doe@test.com"
}
}
},
"network": {
"application": "calendar"
},
"related": {
"ip": [
"ffff:2222:333:11:aa:2222:111:11"
],
"user": [
"joe.doe"
]
},
"source": {
"address": "ffff:2222:333:11:aa:2222:111:11",
"ip": "ffff:2222:333:11:aa:2222:111:11"
},
"user": {
"domain": "test.com",
"email": "joe.doe@test.com",
"id": "1158856535600",
"name": "joe.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-08T10:37:56.354Z\",\"uniqueQualifier\":\"-75128508411076\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1160802395241\"},\"events\":[{\"type\":\"user_action\",\"name\":\"message_posted\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"message_id\",\"value\":\"spaces/AAAApr7T222/messages/oODWFIV2CtA\"},{\"name\":\"retention_state\",\"value\":\"PERMANENT\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAAA)\"},{\"name\":\"dlp_scan_status\",\"value\":\"DLP_NOT_APPLICABLE\"}]}]}",
"event": {
"action": "message_posted",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-08T10:37:56.354000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
},
"chat": {
"message": {
"id": "spaces/AAAApr7T222/messages/oODWFIV2CtA"
},
"room": {
"name": "Group Chat (AAAAAAAAAA)"
}
}
}
},
"network": {
"application": "chat"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1160802395241",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-12T10:01:16.430Z\",\"uniqueQualifier\":\"-2323518099402\",\"applicationName\":\"chat\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"user_action\",\"name\":\"room_created\",\"parameters\":[{\"name\":\"room_id\",\"value\":\"AAAAAAAAA\"},{\"name\":\"actor\",\"value\":\"joe.done@test.com\"},{\"name\":\"external_room\",\"value\":\"DISABLED\"},{\"name\":\"room_name\",\"value\":\"Group Chat (AAAAAAAAA)\"}]}]}",
"event": {
"action": "room_created",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-12T10:01:16.430000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
},
"chat": {
"room": {
"name": "Group Chat (AAAAAAAAA)"
}
}
}
},
"network": {
"application": "chat"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"id": "1070981817756",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":true},{\"name\":\"owner_team_drive_id\",\"value\":\"AAAAAALLLLLL\"},{\"name\":\"owner\",\"value\":\"RH \"},{\"name\":\"doc_id\",\"value\":\"5555763535\"},{\"name\":\"doc_type\",\"value\":\"folder\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Divers\"},{\"name\":\"visibility\",\"value\":\"shared_internally\"},{\"name\":\"shared_drive_id\",\"value\":\"112-EIUBHDIUBEBUD\"},{\"name\":\"originating_app_id\",\"value\":\"691301496089\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":true},{\"name\":\"team_drive_id\",\"value\":\"111-EIUBHDIUBEBUD\"}]}]}",
"event": {
"action": "edit",
"category": [
"file"
],
"dataset": "audit#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"gid": "AAAAAALLLLLL",
"name": "Divers",
"owner": "RH ",
"type": "folder"
},
"google": {
"report": {
"actor": {
"email": "kim@example.com"
},
"parameters": {
"visibility": "shared_internally"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"RH ",
"kim"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "kim@example.com",
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
{
"message": "{\"kind\":\"audit#activity\",\"id\":{\"time\":\"2014-03-17T15:39:18.460Z\",\"uniqQualifier\":\"reports unique ID\",\"applicationName\":\"drive\",\"customerId\":\"ABC123xyz\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"kim@example.com\",\"profileId\":\"users unique Google Workspace profile ID\",\"key\":\"consumer key of requestor in an OAuth 2LO request\"},\"ownerDomain\":\"domain of the source owner\",\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1DWuYM3ot_sAyEQqOz0xWJ9bVMSYzOmRNeBqbgtSwuK8\"},{\"name\":\"doc_title\",\"value\":\"Meeting notes\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"owner\",\"value\":\"mary@example.com\"}]}]}",
"event": {
"action": "edit",
"category": [
"file"
],
"dataset": "audit#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"name": "Meeting notes",
"owner": "mary@example.com",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "kim@example.com"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"kim",
"mary@example.com"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "kim@example.com",
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
{
"message": "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2023-09-04T08:42:51.615Z\",\n \"uniqueQualifier\": \"-2222222222222222222\",\n \"applicationName\": \"drive\",\n \"customerId\": \"111111111\"\n },\n \"actor\": {\n \"email\": \"john.doe@example.org\",\n \"profileId\": \"444444444444444444444\"\n },\n \"ipAddress\": \"1.2.3.4\",\n \"events\": [\n {\n \"type\": \"access\",\n \"name\": \"view\",\n \"parameters\": [\n {\n \"name\": \"primary_event\",\n \"boolValue\": true\n },\n {\n \"name\": \"billable\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_is_shared_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"owner_team_drive_id\",\n \"value\": \"DDD_111111111111111\"\n },\n {\n \"name\": \"owner\",\n \"value\": \"J.DOE\"\n },\n {\n \"name\": \"doc_id\",\n \"value\": \"333333333333333333333333333333333\"\n },\n {\n \"name\": \"doc_type\",\n \"value\": \"folder\"\n },\n {\n \"name\": \"is_encrypted\",\n \"boolValue\": false\n },\n {\n \"name\": \"doc_title\",\n \"value\": \"MyDocs\"\n },\n {\n \"name\": \"visibility\",\n \"value\": \"people_within_domain_with_link\"\n },\n {\n \"name\": \"shared_drive_id\",\n \"value\": \"DDD_222222222222222\"\n },\n {\n \"name\": \"originating_app_id\",\n \"value\": \"666666666666\"\n },\n {\n \"name\": \"actor_is_collaborator_account\",\n \"boolValue\": false\n },\n {\n \"name\": \"owner_is_team_drive\",\n \"boolValue\": true\n },\n {\n \"name\": \"team_drive_id\",\n \"value\": \"DDD_888888888888888\"\n }\n ]\n }\n ]\n}\n",
"event": {
"action": "view",
"category": [
"file"
],
"dataset": "admin#reports#activity",
"type": [
"access"
]
},
"@timestamp": "2023-09-04T08:42:51.615000Z",
"cloud": {
"account": {
"id": "111111111"
}
},
"file": {
"gid": "DDD_111111111111111",
"name": "MyDocs",
"owner": "J.DOE",
"type": "folder"
},
"google": {
"report": {
"actor": {
"email": "john.doe@example.org"
},
"parameters": {
"visibility": "people_within_domain_with_link"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"J.DOE",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.org",
"email": "john.doe@example.org",
"id": "444444444444444444444",
"name": "john.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-11T15:20:33.157Z\",\"uniqueQualifier\":\"-92180609786\",\"applicationName\":\"groups_enterprise\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.com\",\"profileId\":\"109472445\"},\"events\":[{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_id\",\"value\":\"testgroup@test.com\"}]}]}",
"event": {
"action": "delete_group",
"category": [
"iam"
],
"dataset": "admin#reports#activity",
"type": [
"admin"
]
},
"@timestamp": "2024-03-11T15:20:33.157000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "joe.done@test.com"
}
}
},
"network": {
"application": "groups_enterprise"
},
"related": {
"user": [
"joe.done"
]
},
"user": {
"domain": "test.com",
"email": "joe.done@test.com",
"group": {
"id": "testgroup@test.com"
},
"id": "109472445",
"name": "joe.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:02:40.037Z\",\"uniqueQualifier\":\"235176017661\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.doe@test.com\",\"profileId\":\"1098488062555\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"0\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"},{\"name\":\"endpoint_id\",\"value\":\"dSzi5ZfqD8I\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"screencast_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"calendar_event_id\",\"value\":\"glb41ldt739tcf0bun7p9htaqr\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"83\"},{\"name\":\"screencast_send_short_side_median_pixels\",\"intValue\":\"1080\"},{\"name\":\"screencast_send_packet_loss_max\",\"intValue\":\"1\"},{\"name\":\"screencast_send_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"1498\"},{\"name\":\"identifier\",\"value\":\"jone.doe@test.com\"},{\"name\":\"location_region\",\"value\":\"Argenteuil\"},{\"name\":\"screencast_send_bitrate_kbps_mean\",\"intValue\":\"791\"},{\"name\":\"organizer_email\",\"value\":\"joe.done@test.com\"},{\"name\":\"ip_address\",\"value\":\"5555:333:333:5555:5555:5555:5555:5555\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"0\"},{\"name\":\"display_name\",\"value\":\"Test SEGLA\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"screencast_send_long_side_median_pixels\",\"intValue\":\"1920\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"12\"},{\"name\":\"conference_id\",\"value\":\"SQEGZkIp70zCVuvX_PtXDxI\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"GMGSZDDDDD\"},{\"name\":\"is_external\",\"boolValue\":false}]}]}",
"event": {
"action": "call_ended",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-13T11:02:40.037000Z",
"client": {
"geo": {
"country_iso_code": "FR",
"region_name": "Argenteuil"
}
},
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "jone.doe@test.com"
},
"meet": {
"code": "GMGSZDDDDD"
}
}
},
"network": {
"application": "meet",
"transport": "udp"
},
"related": {
"user": [
"jone.doe"
]
},
"user": {
"domain": "test.com",
"email": "jone.doe@test.com",
"id": "1098488062555",
"name": "jone.doe"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T10:31:23.630Z\",\"uniqueQualifier\":\"47501654195\",\"applicationName\":\"meet\",\"customerId\":\"C03foh000\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"jone.done@test.com\",\"profileId\":\"1070981817756\"},\"events\":[{\"type\":\"conference_action\",\"name\":\"presentation_started\",\"parameters\":[{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"meeting_code\",\"value\":\"BWXXZYNUUU\"},{\"name\":\"conference_id\",\"value\":\"iVYNZWWtL3-mwtWyAGIeDxIWOAkI\"},{\"name\":\"action_time\",\"value\":\"2024-03-13T10:31:23.630220Z\"},{\"name\":\"identifier\",\"value\":\"jone.done@test.com\"},{\"name\":\"identifier_type\",\"value\":\"email_address\"}]}]}",
"event": {
"action": "presentation_started",
"category": [
"session"
],
"dataset": "admin#reports#activity",
"type": [
"connection"
]
},
"@timestamp": "2024-03-13T10:31:23.630000Z",
"cloud": {
"account": {
"id": "C03foh000"
}
},
"google": {
"report": {
"actor": {
"email": "jone.done@test.com"
},
"meet": {
"code": "BWXXZYNUUU"
}
}
},
"network": {
"application": "meet"
},
"related": {
"user": [
"jone.done"
]
},
"user": {
"domain": "test.com",
"email": "jone.done@test.com",
"id": "1070981817756",
"name": "jone.done"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-01-17T11:09:39.840Z\",\"uniqueQualifier\":\"111111\",\"applicationName\":\"drive\",\"customerId\":\"XXXXXX\"},\"etag\":\"aaa-aaa/aaa\",\"actor\":{\"email\":\"senduser@test.com\",\"profileId\":\"11111\"},\"ipAddress\":\"0.0.0.0\",\"events\":[{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":false},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"1111111111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"111111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]},{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_user\",\"value\":\"targetuser@test.fr\"},{\"name\":\"old_value\",\"multiValue\":[\"none\"]},{\"name\":\"new_value\",\"multiValue\":[\"can_edit\"]},{\"name\":\"old_visibility\",\"value\":\"shared_internally\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"owner\",\"value\":\"owner@test.com\"},{\"name\":\"doc_id\",\"value\":\"11111\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"is_encrypted\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"Doc Temp\"},{\"name\":\"visibility\",\"value\":\"shared_externally\"},{\"name\":\"originating_app_id\",\"value\":\"11111\"},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":false},{\"name\":\"owner_is_team_drive\",\"boolValue\":false}]}]}",
"event": {
"action": [
"change_user_access",
"edit"
],
"category": [
"file"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"change"
]
},
"@timestamp": "2024-01-17T11:09:39.840000Z",
"cloud": {
"account": {
"id": "XXXXXX"
}
},
"file": {
"name": "Doc Temp",
"owner": "owner@test.com",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "senduser@test.com"
},
"parameters": {
"visibility": "shared_externally"
}
}
},
"network": {
"application": "drive"
},
"related": {
"ip": [
"0.0.0.0"
],
"user": [
"owner@test.com",
"senduser"
]
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0"
},
"user": {
"domain": "test.com",
"email": "senduser@test.com",
"id": "11111",
"name": "senduser",
"target": {
"email": "targetuser@test.fr"
}
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:24:59.810Z\",\"uniqueQualifier\":\"515960775816012389\",\"applicationName\":\"token\",\"customerId\":\"C03foh04q\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H\\\"\",\"actor\":{\"email\":\"JONE.DOE@test.com\",\"profileId\":\"109472445\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"11057316681905\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"scope_data\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.audit.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"},{\"name\":\"product_bucket\",\"multiValue\":[\"GSUITE_ADMIN\"]}]}]},{\"name\":\"scope\",\"multiValue\":[\"https://www.googleapis.com/auth/admin.reports.audit.readonly\",\"https://www.googleapis.com/auth/admin.reports.usage.readonly\"]}]}]}",
"event": {
"action": "authorize",
"category": [
"authentication"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"connection"
]
},
"@timestamp": "2024-03-13T11:24:59.810000Z",
"client": {
"user": {
"id": "11057316681905"
}
},
"cloud": {
"account": {
"id": "C03foh04q"
}
},
"google": {
"report": {
"actor": {
"email": "JONE.DOE@test.com"
},
"token": {
"app_name": "Test Log Workspace",
"type": "WEB"
}
}
},
"network": {
"application": "token"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JONE.DOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "test.com",
"email": "JONE.DOE@test.com",
"id": "109472445",
"name": "JONE.DOE"
}
}
{
"message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-03-13T11:25:23.391Z\",\"uniqueQualifier\":\"-38605878274\",\"applicationName\":\"token\",\"customerId\":\"C03foh5555\"},\"etag\":\"\\\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0H0/t\\\"\",\"actor\":{\"email\":\"JOE.DONE@test.com\",\"profileId\":\"1094724450\"},\"ipAddress\":\"1.1.1.1\",\"events\":[{\"type\":\"auth\",\"name\":\"activity\",\"parameters\":[{\"name\":\"api_name\",\"value\":\"admin\"},{\"name\":\"method_name\",\"value\":\"reports.activities.list\"},{\"name\":\"client_id\",\"value\":\"110573166819\"},{\"name\":\"num_response_bytes\",\"intValue\":\"7\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"},{\"name\":\"app_name\",\"value\":\"Test Log Workspace\"},{\"name\":\"client_type\",\"value\":\"WEB\"}]}]}",
"event": {
"action": "activity",
"category": [
"authentication"
],
"dataset": "admin#reports#activity",
"type": [
"access",
"connection"
]
},
"@timestamp": "2024-03-13T11:25:23.391000Z",
"client": {
"user": {
"id": "110573166819"
}
},
"cloud": {
"account": {
"id": "C03foh5555"
}
},
"google": {
"report": {
"actor": {
"email": "JOE.DONE@test.com"
},
"token": {
"app_name": "Test Log Workspace",
"type": "WEB"
}
}
},
"network": {
"application": "token"
},
"related": {
"ip": [
"1.1.1.1"
],
"user": [
"JOE.DONE"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"user": {
"domain": "test.com",
"email": "JOE.DONE@test.com",
"id": "1094724450",
"name": "JOE.DONE"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
client.geo.country_iso_code |
keyword |
Country ISO code. |
client.geo.region_name |
keyword |
Region name. |
client.user.id |
keyword |
Unique identifier of the user. |
cloud.account.id |
keyword |
The cloud account or organization id. |
destination.user.email |
keyword |
User email address. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.gid |
keyword |
Primary group ID (GID) of the file. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.owner |
keyword |
File owner's username. |
file.type |
keyword |
File type (file, dir, or symlink). |
google.report.actor.email |
keyword |
|
google.report.chat.message.id |
keyword |
Message id |
google.report.chat.room.name |
keyword |
Room name |
google.report.meet.code |
keyword |
Meet code |
google.report.parameters.visibility |
keyword |
Visibility of the Drive item associated with the activity |
google.report.token.app_name |
keyword |
Token authorization application name |
google.report.token.type |
keyword |
Token type |
network.application |
keyword |
Application level protocol name. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
source.ip |
ip |
IP address of the source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.group.id |
keyword |
Unique identifier for the group on the system/platform. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user.target.email |
keyword |
User email address. |
Configure
Prerequisites
- Google licence Enterprise standard or higher
- Access to Sekoia.io Intakes and Playbook pages with write permissions
- Administrator access to the Google Cloud console
Create a dedicated service account
To create a service account you have to :
- Create a project
- Turn on the APIs for the service account
- Set up the OAuth consent screen with the following scopes (see Choose Reports API scopes):
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- https://www.googleapis.com/auth/admin.reports.usage.readonly
- Create the service account
For more details in each steps please read this Documentation
Create and download JSON keys (service account credentials)
To use a service account from outside of Google Cloud, such as on Sekoia.io, you must first establish the identity of the service account. Public/private key pairs provide a secure way of accomplishing this goal. When you create a service account key, the public portion is stored on Google Cloud, while the private portion is available only to you.
Note
By default, service account keys never expire.
- Go to the Service accounts page
- Select your cloud project
- Click the email address of the service account that you want to create a key for
- Click the Keys tab
- Click the Add key drop-down menu, then select Create new key
- Select JSON as the Key type and click Create
Important
Clicking Create downloads a service account key file. After you download the key file, you cannot download it again. You will need it on the following steps on Sekoia.io.
Find more information on the official google documentation.
Example of JSON key file
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
Sekoia.io configuration procedure
Create your intake
- Go to the intake page and create a new intake from the
Google Report. - Copy the associated Intake key
Pull the logs to collect them on Sekoia.io
Go to the Sekoia.io playbook page, and follow these steps:
- Click on + PLAYBOOK button to create a new one
- Select Create a playbook from scratch
- Give it a name in the field Name
- Open the left panel, click Google then select the trigger
Get user activities -
Click on Create
-
Create a Module configuration using your service account credentials from your Google Cloud environment extracted on a JSON file. Name the module configuration as you wish
-
Create a Trigger configuration using:
- Type the
Intake keycreated on the previous - Select the
application namewhat you to fetch events from - Type the
Admin email
- Type the
-
Click on the Save button
- Activate the playbook with the toggle button on the top right corner of the page