G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform. Collection is achieved via the G Suite Reports API (v1) and is enabled in RSA NetWitness via the plugin framework.
The G Suite API schema provides several types of events which can be monitored. Below is the list of event types currently supported by this plugin:
- access_transparency – The G Suite Access Transparency activity reports return information about different types of Access Transparency activity events.
- admin – The Admin console application's activity reports return account information about different types of administrator activity events.
- calendar – The G Suite Calendar application's activity reports return information about various Calendar activity events.
- drive – The Google Drive application's activity reports return information about various Google Drive activity events. The Drive activity report is only available for G Suite Business customers.
- groups – The Google Groups application's activity reports return information about various Groups activity events.
- groups_enterprise – The Enterprise Groups activity reports return information about various Enterprise group activity events.
- login – The G Suite Login application's activity reports return account information about different types of Login activity events.
- mobile – The G Suite Mobile Audit activity report return information about different types of Mobile Audit activity events.
- rules – The G Suite Rules activity report return information about different types of Rules activity events.
- token – The G Suite Token application's activity reports return account information about different types of Token activity events.
- user_accounts – The G Suite User Accounts application's activity reports return account information about different types of User Accounts activity events.
Suggested Use Cases
G Suite Admin Report:
- Top 5 Admin Actions: Depicts the top 5 actions by Admin
- Admin activity: Activities performed by admins
- App Token Actions: Displays details on app token actions in a pie chart
- Users Created and Deleted: Displays users created and deleted as a table chart including details on the user’s email, admin action, and admin email.
- Groups - Users Added or Removed: Displays information on Groups, with users added or removed as a table chart including details on the user email, admin action, group email, and admin email.
G Suite Activity Report:
- Activity by IP Address: Shows a table of actions w.r.t IPs
- Login State Count: A pie chart that depicts the login states by count
- Logins from Multiple IPs: Shows logins from multiple IP addresses by user on a pie chart
- Most Active IPs: Shows a table with the most active IP addresses based on the number of events performed by that IP address
- Top 10 Apps by Count: Shows the top ten apps by count on a column graph
- Login Failures by User: Shows the login failures by user on a pie chart
Downloads and Documentation
Configuration Guide: Google G Suite
Collector Package on RSA Live: Google Business Suite Log Collector Configuration
Parser on RSA Live: CEF (device.type='gsuite')
