Version 6.0.4

This Beat leverages the GSuite Admin SDK Reports API. It can be used to audit the following:

  • Google Admin Console activity
    • User and group creation/elevation/modification
    • Policies
    • Licensing
    • Organizational units
  • Authentication activity
    •  Successes
    •  Failures
    •  Challenges, such as prompts for multi-factor authentication
  • Google Drive activity
    • File/Directory view, creation/upload, modification, rename, deletion, download, move
    • Permission changes
    • Sharing (especially external share)
  • Application activity
    • Tokens and OAuth 

Use Cases

  • Audit trail of anything an administrator does 
  • Authentication data
    • Audit a compromised account's activity
    • Audit feed analytics, like from CloudAI
    • Users provisioned/signed in to Google Cloud Platform
  • Audit Drive activity
    • Detect or audit compromised accounts
    • Identify data exfiltration or disruption 
    • Detect accidentally deleted files

The following use cases are not covered by this Beat:

  • GCP compute activity 
    • VMs created, K8s clusters deployed (any IaaS/PaaS)
    • GCP will be covered by the Google Pub Sub beat (via StackDriver)
  • Gmail Message Tracking
    • Logs metadata of each message sent/received, similar to O365 Message Tracking
    • Enables identification of auto forwarding, data exfiltration, phishing, and malware received via email
  • Gmail Settings
    • Audits mail setting changes, such as auto-forward enabled