Google Workspace comprises a number of cloud-based productivity and collaboration tools developed by Google. Formerly know as G-Suite, Google Workspace includes all the popular apps you know—Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and many more. Today, most of the enterprises across the globe are streamlining their workflows with the help of Google Workspace. It is essential for organizations to monitor logs generated from these applications to gain visibility in case of unauthorized access, exfiltration, privilege abuse, configuration outliers, etc.
Here’s how DNIF HYPERCLOUD can help you effectively analyze and monitor Google Drive Logs.
Integrate Google Workspace
You can leverage our prebuilt connector that uses the pull method to fetch data from the Google G-Suite Report API. After enabling this integration you can import audit logs to DNIF. For more details on how to configure the connector, please check out the integration manual: G-Suite Connector.
Parsing data and applying extractors
Our platform provides a large number of pre-built Native Extractors. These extractors get applied automatically and parse applicable fields of interest from RAW events as per the out-of-the-box use cases built on the platform.
Here's how you can check all the standard extractors.
Go to the System icon(that looks like a desktop) then select Extraction. You will be able to see a list of all the native extractors under this section.
This google-gsuite_office extractor will extract the relevant information from the G-Suite raw logs and stream the parsed events into DOCUMENTS stream.
Below is a table with fields extracted and normalized as per DNIF HYPERCLOUD Data Model (DDM):
| Field | Description |
| Action | Action performed by the user |
| User | The Actor |
| Owner | Document's Owner |
| App | Name of the application |
| File | Name of the file |
| FileType | The file type such as document, folder, ms-excel, spreadsheet etc. |
| SrcIP | Source IP address of the Actor |
| Visibility | Visibility of TargetFile |
| Target User | Permission changed for any user |
RAW logs and Parsed Events
Contextual Enrichment - Using EventStore to upload custom data
Custom Event Stores can be uploaded in csv, json, xls, xslx formats. You can store your database details and query from there for later usage. These custom event stores can be used to enrich ingested logs with organization-relevant context and validate findings during investigation.
In the following example, we have uploaded employee data in an .xlsx file format to analyze an organization’s data.
Go to the System icon then select EventStores
Here is our custom EventStore
This .xlsx file contains fields such as $Name (employee's name), $User (user's ID), $EmployeeID (employee's ID), $Designation (employee’s designation), $Department (employee’s department), $EmailID (employee's email id), $EmployeeStatus (employee’s current status)
Checkout EventStores-Operations to read more about EventStores in DNIF.
Adding context/meta information to parsed events
We’ve created a custom enrichment bucket for the Employee Data in our example. Learn more about the DNIF HYPERCLOUD enrichment bucket here.
Go to the System icon then select Enrichment
Here is our custom EventStore
The fields will populate as mentioned in the Bucket.
$Department: Department
$Designation: Role
$EmployeeID: EmployeeID
$EmployeeStatus: EmployeeStatus
$UserID: User
Pre-Built Use Cases
Let’s discuss a few interesting use-cases which you get OOTB once you ingest data via G-Suite Connector.
1. An Employee on their notice period source copying a file - An employee on their notice period making a copy of a file
2. Document Downloaded By an External User - An external user not part of our organization is downloading a file.
3. An employee on their notice period deleting a file - An employee on their notice period is deleting a file.
1. Detect 'file copy' activity by Employee serving notice period
The following workbook is used to detect a file being copied by an employee on their notice period:
stream=documents where sourcename='G-SUITE' and action='COPIED' and employeestatus='Notice Period'|groupby user, file
2. Document Downloaded By Non-Organizational User
The following workbook is used to detect a file being downloaded by a user who is not part of the organization.
stream=documents where sourcename='G-SUITE' and action='DOWNLOADED' and not user like '%dnifdemo-net%' | groupby user, file
3. An employee on their notice period deleting a file
The following workbook is used to detect an employee on notice period deleting a file.
stream=documents where sourcename='G-SUITE' and action='DELETED' and employeestatus='Notice Period' | groupby user, file
Case Study
Let’s discuss the footprints of the Employee on their notice period carrying out suspicious activities on the drive. Here signals are generated for the workbooks mentioned in the previous section where the employee on notice period is traced for performing suspicious activities. Once the alerts/signals are generated users can create an incident to further analyze the case.
Users can also view the Artifacts section to get a complete understanding of the entities involved in this case(suspects, targets, signals and compromised units)
Footprints
1. An employee at DNIF HYPERCLOUD with identity edward@dnifdemo-net, on their notice period has source copied an original file - Confidential Data ORG and created their own copy named - Copy of Confidential Data ORG. The first signal is raised here, "Notice Period Employee Source Copying File"
2. The “Copy of Confidential Data ORG” file with owner edward@dnifdemo-net was then shared with an external user heyyou16@gmail.com where user heyyou16@gmail.com has downloaded the file. The second signal is raised here, "Document Downloaded By External User"
3. Later the source copied file was deleted by edward@dnifdemo-net which is suspicious. The third signal is raised here, "Notice Period Employee Deleting File"
So, here an employee on their notice period is performing suspicious activities by copying a source file and then sharing it with an external user who is later downloading the file and stealing confidential information which belongs to DNIF. This poses a risk to the organisation as the stolen data can be misused later.
This is how you can analyse and detect suspicious activities using DNIF HYPERCLOUD
Summary
In this blog we explored how simple it is to integrate and analyze Good Drive logs via our pre-built G-Suite connector and use cases. Stay tuned to explore how we can integrate other applications/services included within Google Workspace.
Schedule a demo with us to learn more about how DNIF HYPERCLOUD can help your organization.
