Mitch Hanks

Google G Suite Integration with the RSA NetWitness Platform

Blog Post created by Mitch Hanks Employee on Jul 26, 2019

G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform.  Collection is achieved via the G Suite Reports API (v1) and is enabled in RSA NetWitness via the plugin framework.

 

 

The G Suite API schema provides several types of events which can be monitored.  Below is the list of event types currently supported by this plugin:

 

  • access_transparency – The G Suite Access Transparency activity reports return information about different types of Access Transparency activity events.
  • admin – The Admin console application's activity reports return account information about different types of administrator activity events.
  • calendar – The G Suite Calendar application's activity reports return information about various Calendar activity events.
  • drive – The Google Drive application's activity reports return information about various Google Drive activity events. The Drive activity report is only available for G Suite Business customers.
  • groups – The Google Groups application's activity reports return information about various Groups activity events.
  • groups_enterprise – The Enterprise Groups activity reports return information about various Enterprise group activity events.
  • login – The G Suite Login application's activity reports return account information about different types of Login activity events.
  • mobile – The G Suite Mobile Audit activity report return information about different types of Mobile Audit activity events.
  • rules – The G Suite Rules activity report return information about different types of Rules activity events.
  • token – The G Suite Token application's activity reports return account information about different types of Token activity events.
  • user_accounts – The G Suite User Accounts application's activity reports return account information about different types of User Accounts activity events.

 

Suggested Use Cases

 

G Suite Admin Report:

 

  1. Top 5 Admin Actions: Depicts the top 5 actions by Admin
  2. Admin activity: Activities performed by admins
  3. App Token Actions: Displays details on app token actions in a pie chart
  4. Users Created and Deleted: Displays users created and deleted as a table chart including details on the user’s email, admin action, and admin email.
  5. Groups - Users Added or Removed: Displays information on Groups, with users added or removed as a table chart including details on the user email, admin action, group email, and admin email.

 

G Suite Activity Report:

 

  1. Activity by IP Address: Shows a table of actions w.r.t IPs
  2. Login State Count: A pie chart that depicts the login states by count
  3. Logins from Multiple IPs: Shows logins from multiple IP addresses by user on a pie chart
  4. Most Active IPs: Shows a table with the most active IP addresses based on the number of events performed by that IP address
  5. Top 10 Apps by Count: Shows the top ten apps by count on a column graph
  6. Login Failures by User: Shows the login failures by user on a pie chart

 

Downloads and Documentation

 

Configuration Guide: Google G Suite 
Collector Package on RSA Live: Google Business Suite Log Collector Configuration
Parser on RSA Live: CEF (device.type='gsuite')

Outcomes