GSuite Beat
Version 6.0.4
This Beat leverages the GSuite Admin SDK Reports API. It can be used to audit the following:
- Google Admin Console activity
- User and group creation/elevation/modification
- Policies
- Licensing
- Organizational units
- Authentication activity
- Successes
- Failures
- Challenges, such as prompts for multi-factor authentication
- Google Drive activity
- File/Directory view, creation/upload, modification, rename, deletion, download, move
- Permission changes
- Sharing (especially external share)
- Application activity
- Tokens and OAuth
Use Cases
- Audit trail of anything an administrator does
- Authentication data
- Audit a compromised account's activity
- Audit feed analytics, like from CloudAI
- Users provisioned/signed in to Google Cloud Platform
- Audit Drive activity
- Detect or audit compromised accounts
- Identify data exfiltration or disruption
- Detect accidentally deleted files
The following use cases are not covered by this Beat:
- GCP compute activity
- VMs created, K8s clusters deployed (any IaaS/PaaS)
- GCP will be covered by the Google Pub Sub beat (via StackDriver)
- Gmail Message Tracking
- Logs metadata of each message sent/received, similar to O365 Message Tracking
- Enables identification of auto forwarding, data exfiltration, phishing, and malware received via email
- Gmail Settings
- Audits mail setting changes, such as auto-forward enabled
The GSuite Beat is not available for use in LRCloud.