Google Apps Audit
What is Discovered and Monitored
Protocol | Logs Collected | Used For |
---|---|---|
Google Apps Admin SDK | Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise | Security Monitoring |
Event Types
In ADMIN > Device Support > Event, search for "Google_Apps" in the Search column to see the event types associated with this device.
Reports
There are many reports defined in Resource > Reports > Device > Application > Document Mgmt. Search for " Google Apps".
Configuration
- Create a Google App Credential in Google API Console
- Define Google App Credential in FortiSIEM
- Test Connectivity
Create a Google App Credential in Google API Console
- Logon to Google API Console (https://console.developers.google.com).
- Open the Select a project window and click NEW PROJECT.
- Under the New Project window:
- Project Name - enter a name.
- Click Create.
- Open the Select a project window and select the new project that you created in Step 2.
- Under Dashboard, click Enable API And Services to find the Admin SDK.
- Select Admin SDK and click Enable to activate the Admin SDK for this project.
- Create a Service Account for this project:
- Under Credentials, click Create Credentials > Service Account.
- Enter the server account name.
- Click Create.
- Choose Role as Project > Viewer.
- Click Continue>Done.
- Create key for the Service Account:
- Go to Navigation Menu> IAM &Admin>Service Accounts.
- Go to the Service Account table, choose the service account you create in Step 7.
- Click Actions > Create Key.
- Choose Key type as JSON.
- Click Create
- A JSON file containing the Service Account credentials will be stored in your computer.
- Enable Google Apps Domain-wide delegation:
- Go to Navigation Menu> IAM &Admin>Service Accounts
- Go to the Service Account table and choose the service account you created in Step 7.
- Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
- Check Enable G Suite Domain-wide Delegation.
- Enter FortiSIEM in the Product name for the consent screen.
- Click Save.
- View Client ID:
- Go to Navigation Menu> IAM &Admin>Service Accounts.
- Go to the Service Account table and choose the service account you created in Step 7.
- Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
- You can find a Client ID.
- Delegate domain-wide authority to the service account created in Step 7.
- Go to your Google Apps domain’s Admin console (https://admin.google.com).
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- Select Advanced settings from the list of options.
- Click Manage domain wide delegation in the Domain wide delegation section.
- Click Add new.
- In the Client ID field, enter the service account's Client ID you obtained in Step 10d.
- In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to:
https://www.googleapis.com/auth/admin.reports.audit.readonly
- Click Authorize.
Define Google App Credential in FortiSIEM
- Log in to FortiSIEM Supervisor node.
- Go to Admin > Setup > Credentials.
- In Step 1, Click Add to create a new credential.
- For Device Type, select Google Google Apps.
- For Access Protocol, select Google Apps Admin SDK.
- Enter the User Name (this is the account name to log in to the Admin console).
- For Service Account Key, upload the JSON credential file (see Step 8f in Create a Google App Credential in Google API Console).
- Click Save.
Test Connectivity
- Log in to the FortiSIEM Supervisor node.
- Go to Admin > Setup > Credentials.
- In Step 2, Click Add to create a new association.
- For Name/IP/IP Range, enter google.com.
- For Credentials, enter the name of the credential created in Define Google App Credential in FortiSIEM.
- Click Save.
- Select the entry just created and click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
- Go to Admin > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.
Sample Events for Google Apps Audit
Logon Success
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@accelops.net,[event.name]=login_success,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_success,1,45.79.100.103,
Logon Failure
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:
[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,
[id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_
type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=2016-
09-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,
[event.type]=login,[actor.email]=api1@accelops.net,[etag]=""6KGrH_
UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_
type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_
failure,1,45.79.100.103,
Create User
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:
[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,
[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,
[event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye,
[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS,
[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,
[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_
SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,
Delete user
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.79.100.103,
Move user settings
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[event.parameters.NEW_VALUE]=/,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,