Skip to content
Rachina Poojari Aug 3, 2022 12:55:05 AM 8 min read

Google Drive Monitoring with DNIF HYPERCLOUD

Google Workspace comprises a number of cloud-based productivity and collaboration tools developed by Google. Formerly know as G-Suite, Google Workspace includes all the popular apps you know—Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and many more. Today, most of the enterprises across the globe are streamlining their workflows with the help of Google Workspace. It is essential for organizations to monitor logs generated from these applications to gain visibility in case of unauthorized access, exfiltration, privilege abuse, configuration outliers, etc. 

Here’s how DNIF HYPERCLOUD can help you effectively analyze and monitor Google Drive Logs.    

Integrate Google Workspace  

You can leverage our prebuilt connector that uses the pull method to fetch data from the Google G-Suite Report API. After enabling this integration you can import audit logs to DNIF. For more details on how to configure the connector, please check out the integration manual: G-Suite Connector.

Parsing data and applying extractors 

Our platform provides a large number of pre-built Native Extractors. These extractors get applied automatically and parse applicable fields of interest from RAW events as per the out-of-the-box use cases built on the platform. 

Here's how you can check all the standard extractors.

Go to the System icon(that looks like a desktop) then select Extraction. You will be able to see a list of all the native extractors under this section.

This google-gsuite_office extractor will extract the relevant information from the G-Suite raw logs and stream the parsed events into DOCUMENTS stream. For reference - you can have a quick glance on all the available out-of-the-box(OOTB) extractors at: DNIF's Standard Extractors.

 Below is a table with fields extracted and normalized as per DNIF HYPERCLOUD Data Model (DDM):

Field Description
Action Action performed by the user
User The Actor
Owner Document's Owner
App Name of the application
File Name of the file
FileType The file type such as document, folder, ms-excel, spreadsheet etc.
SrcIP Source IP address of the Actor
Visibility Visibility of TargetFile
Target User Permission changed for any user

 

RAW logs and Parsed Events


 

Contextual Enrichment - Using EventStore to upload custom data

Custom Event Stores can be uploaded in csv, json, xls, xslx formats. You can store your database details and query from there for later usage. These custom event stores can be used to enrich ingested logs with organization-relevant context and validate findings during investigation. 

In the following example, we have uploaded employee data in an .xlsx file format to analyze an organization’s data.

Go to the System icon then select EventStores

Here is our custom EventStore

This .xlsx file contains fields such as $Name (employee's name), $User (user's ID), $EmployeeID (employee's ID), $Designation (employee’s designation), $Department (employee’s department), $EmailID (employee's email id), $EmployeeStatus (employee’s current status)

Checkout EventStores-Operations to read more about EventStores in DNIF.

Adding context/meta information to parsed events

We’ve created a custom enrichment bucket for the Employee Data in our example. Learn more about the DNIF HYPERCLOUD enrichment bucket here.

Go to the System icon then select Enrichment

Here is our custom EventStore 

The fields will populate as mentioned in the Bucket.   

$Department: Department

$Designation: Role

$EmployeeID: EmployeeID

$EmployeeStatus: EmployeeStatus

$UserID: User

Pre-Built Use Cases

Let’s discuss a few interesting use-cases which you get OOTB once you ingest data via G-Suite Connector.

1. An Employee on their notice period source copying a file - An employee on their notice period making a copy of a file

2. Document Downloaded By an External User - An external user not part of  our organization is downloading a file.

3. An employee on their notice period deleting a file - An employee on their notice period is deleting a file.

1. Detect 'file copy' activity by Employee serving notice period

The following workbook is used to detect a file being copied by an employee on their notice period:

stream=documents where sourcename='G-SUITE' and action='COPIED' and employeestatus='Notice Period'|groupby user, file

2. Document Downloaded By Non-Organizational User 

The following workbook is used to detect a file being downloaded by a user who is not part of the organization.

stream=documents where sourcename='G-SUITE' and action='DOWNLOADED' and not user like '%dnifdemo-net%' |  groupby  user, file

3. An employee on their notice period deleting a file 

The following workbook is used to detect an employee on notice period deleting a file.

stream=documents where sourcename='G-SUITE' and action='DELETED' and employeestatus='Notice Period' | groupby user, file

Case Study

Let’s discuss the footprints of the Employee on their notice period carrying out suspicious activities on the drive. Here signals are generated for the workbooks mentioned in the previous section where the employee on notice period is traced for performing  suspicious activities. Once the alerts/signals are generated users can create an incident to further analyze the case.

 

 

Users can also view the Artifacts section to get a complete understanding of the entities involved in this case(suspects, targets, signals and compromised units)

 

Footprints

1. An employee at DNIF HYPERCLOUD with identity edward@dnifdemo-net, on their notice period has source copied an original file - Confidential Data ORG and created their own copy named - Copy of Confidential Data ORG. The first signal is raised here,  "Notice Period Employee Source Copying File"

2. The “Copy of Confidential Data ORG” file with owner edward@dnifdemo-net was then shared with an external user heyyou16@gmail.com where user heyyou16@gmail.com has downloaded the file. The second signal is raised here, "Document Downloaded By External User"

3. Later the source copied file was deleted by edward@dnifdemo-net which is suspicious. The third signal is raised here, "Notice Period Employee Deleting File"

So, here an employee on their notice period is performing suspicious activities by copying a source file and then sharing it with an external user who is later downloading the file and stealing confidential information which belongs to DNIF. This poses a  risk to the organisation  as the stolen data can be misused later.

This is how you can analyse and detect suspicious activities using DNIF HYPERCLOUD

Summary

In this blog we explored how simple it is to integrate and analyze Good Drive logs via our pre-built G-Suite connector and use cases. Stay tuned to explore how we can integrate other applications/services included within Google Workspace. 

Schedule a demo with us to learn more about how DNIF HYPERCLOUD can help your organization.

avatar

Rachina Poojari

Security Consultant @DNIF "The more you know, the more you know you don't know." - Aristotle