Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Mitchell Hanks

G Suite (formerly known as Google Business Suite or Google Apps for Business) is now supported for log collection using the RSA NetWitness Platform.  Collection is achieved via the G Suite Reports API (v1) and is enabled in RSA NetWitness via the plugin framework.

 

 

The G Suite API schema provides several types of events which can be monitored.  Below is the list of event types currently supported by this plugin:

 

  • access_transparency – The G Suite Access Transparency activity reports return information about different types of Access Transparency activity events.
  • admin – The Admin console application's activity reports return account information about different types of administrator activity events.
  • calendar – The G Suite Calendar application's activity reports return information about various Calendar activity events.
  • drive – The Google Drive application's activity reports return information about various Google Drive activity events. The Drive activity report is only available for G Suite Business customers.
  • groups – The Google Groups application's activity reports return information about various Groups activity events.
  • groups_enterprise – The Enterprise Groups activity reports return information about various Enterprise group activity events.
  • login – The G Suite Login application's activity reports return account information about different types of Login activity events.
  • mobile – The G Suite Mobile Audit activity report return information about different types of Mobile Audit activity events.
  • rules – The G Suite Rules activity report return information about different types of Rules activity events.
  • token – The G Suite Token application's activity reports return account information about different types of Token activity events.
  • user_accounts – The G Suite User Accounts application's activity reports return account information about different types of User Accounts activity events.

 

Suggested Use Cases

 

G Suite Admin Report:

 

  1. Top 5 Admin Actions: Depicts the top 5 actions by Admin
  2. Admin activity: Activities performed by admins
  3. App Token Actions: Displays details on app token actions in a pie chart
  4. Users Created and Deleted: Displays users created and deleted as a table chart including details on the user’s email, admin action, and admin email.
  5. Groups - Users Added or Removed: Displays information on Groups, with users added or removed as a table chart including details on the user email, admin action, group email, and admin email.

 

G Suite Activity Report:

 

  1. Activity by IP Address: Shows a table of actions w.r.t IPs
  2. Login State Count: A pie chart that depicts the login states by count
  3. Logins from Multiple IPs: Shows logins from multiple IP addresses by user on a pie chart
  4. Most Active IPs: Shows a table with the most active IP addresses based on the number of events performed by that IP address
  5. Top 10 Apps by Count: Shows the top ten apps by count on a column graph
  6. Login Failures by User: Shows the login failures by user on a pie chart

 

Downloads and Documentation

 

Configuration Guide: Google G Suite 
Collector Package on RSA Live: Google Business Suite Log Collector Configuration
Parser on RSA Live: CEF (device.type='gsuite')

UPDATE: The functionality from the custom Lua parser described below is now available within the standard HTTP_lua parser provided from RSA Live.  If you are using this parser in your environment, the custom version attached here (including the app rule) is unnecessary.

 

Many of you may already be aware of a recent vulnerability known as "Options Bleed".  This vulnerability affects Apache web servers and allows access to the contents of memory via the HTTP Options request method.  This HTTP method is supposed to return the available methods (i.e. GET, POST, PUT, etc) to the browser.  For mis-configured web hosts with this un-patched vulnerability, some of the contents of memory are returned along with the available methods.

 

See the following post for a good write-up on the details of Options Bleed:

Apache “Optionsbleed” vulnerability – what you need to know – Naked Security 

 

Attached you will find a custom Lua parser and accompanying Application Rule to detect when this vulnerability is exploited.  The parser detects the response string provided by web server given an OPTIONS request method.  It then will identify whether or not the response is valid.  If not, it will register the following meta key/value:

 

analysis.service = 'garbled http options allow string'

 

In addition, I have provided an application rule which will tie in the presence of this garbled string with some other information about the session:

 

App rule name: 'optoins bleed exploit'

App rule logic:  (analysis.session='garbled http options allow string' && service = 80 && action = 'options')

Alert on:  ioc

 

NOTE: This is custom content created by RSA Professional Services.  It is not officially supported by the RSA Content Team, so please use at your own risk.

This post will be a series of How-To videos and supporting documents on creating custom content for unsupported log event sources in SA.  This will include writing custom File/ODBC typespecs, SNMP transforms, etc.  The work of producing this content will be on-going, so I will be updating this post with new content as I have it available.  See the attachments to this post for related files.

 

Video 1:  Creating a Custom ODBC or File Typespec for Log Collection

 

Video 2:  Extracting Contents of SNMP Traps from a PCAP

Filter Blog

By date: By tag: