Skip to main content
Skip table of contents

GSuite Beat

Version 6.0.4

This Beat leverages the GSuite Admin SDK Reports API. It can be used to audit the following:

  • Google Admin Console activity
    • User and group creation/elevation/modification
    • Policies
    • Licensing
    • Organizational units
  • Authentication activity
    •  Successes
    •  Failures
    •  Challenges, such as prompts for multi-factor authentication
  • Google Drive activity
    • File/Directory view, creation/upload, modification, rename, deletion, download, move
    • Permission changes
    • Sharing (especially external share)
  • Application activity
    • Tokens and OAuth 

Use Cases

  • Audit trail of anything an administrator does 
  • Authentication data
    • Audit a compromised account's activity
    • Audit feed analytics, like from CloudAI
    • Users provisioned/signed in to Google Cloud Platform
  • Audit Drive activity
    • Detect or audit compromised accounts
    • Identify data exfiltration or disruption 
    • Detect accidentally deleted files

The following use cases are not covered by this Beat:

  • GCP compute activity 
    • VMs created, K8s clusters deployed (any IaaS/PaaS)
    • GCP will be covered by the Google Pub Sub beat (via StackDriver)
  • Gmail Message Tracking
    • Logs metadata of each message sent/received, similar to O365 Message Tracking
    • Enables identification of auto forwarding, data exfiltration, phishing, and malware received via email
  • Gmail Settings
    • Audits mail setting changes, such as auto-forward enabled

The GSuite Beat is not available for use in LRCloud.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.