Google Workspace (formerly G Suite) Audit
- What is Discovered and Monitored
- Event Types
- Reports
- Configuration
- Sample Events for Google Workspace Audit
What is Discovered and Monitored
Protocol | Logs Collected | Used For |
---|---|---|
Google Apps Admin SDK | Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise | Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "Google_Apps" in the Search field to see the event types associated with this device.
Reports
There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Google Apps" in the main content panel Search... field.
Configuration
- Create a Google Workspace Credential in Google API Console
- Define Google Workspace Credential in FortiSIEM
- Create IP Range to Credential Association and Test Connectivity
Create a Google Workspace Credential in Google API Console
- Logon to Google API Console (https://console.developers.google.com).
- Open the Select a project window and click NEW PROJECT.
- Under the New Project window:
- Project Name - enter a name.
- Click Create.
- Open the Select a project window and select the new project that you created in Step 2.
- Under Dashboard, click Enable API And Services to find the Admin SDK.
- Select Admin SDK and click Enable to activate the Admin SDK for this project.
- Create a Service Account for this project:
- Under Credentials, click Create Credentials > Service Account.
- Enter the server account name.
- Click Create.
- Choose Role as Project > Viewer.
- Click Continue>Done.
- Create key for the Service Account:
- Go to Navigation Menu> IAM &Admin>Service Accounts.
- Go to the Service Account table, choose the service account you create in Step 7.
- Click Actions > Create Key.
- Choose Key type as JSON.
- Click Create.
- A JSON file containing the Service Account credentials will be stored in your computer.
- Enable Google Workspace Domain-wide delegation:
- Go to Navigation Menu> IAM &Admin>Service Accounts.
- Go to the Service Account table and choose the service account you created in Step 7.
- Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
- Check Enable G Suite Domain-wide Delegation.
- Enter FortiSIEM in the Product name for the consent screen.
- Click Save.
- View Client ID:
- Go to Navigation Menu> IAM &Admin>Service Accounts.
- Go to the Service Account table and choose the service account you created in Step 7.
- Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
- You can find a Client ID.
- Delegate domain-wide authority to the service account created in Step 7.
- Go to your Google Workspace domain’s Admin console (https://admin.google.com).
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
- Select Advanced settings from the list of options.
- Click Manage domain wide delegation in the Domain wide delegation section.
- Click Add new.
- In the Client ID field, enter the service account's Client ID you obtained in Step 10d.
- In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to:
https://www.googleapis.com/auth/admin.reports.audit.readonly
- Click Authorize.
Define Google Workspace Credential in FortiSIEM
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials, click New to create a new credential:
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. Enter these settings in the Access Method Definition dialog box and click Save:
-
Settings Description Name Enter a name for the credential Device Type Google Google Apps Access Protocol Google Apps Admin SDK Account Name Enter the User Name (this is the account name to log in to the Admin console) Service Account Key Upload the JSON credential file (see Step 8f in Create a Google Workspace Credential in Google API Console). Organization The organization the device belongs to. Description Description of the device.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).
- In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
- Enter "google.com" in the IP/Host Name field.
- Select the name of the credential created in Define Google Workspace Credential in FortiSIEM from the Credentials drop-down list.
- Click Save.
- Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
- Go to ADMIN > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.
Sample Events for Google Workspace Audit
Logon Success
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@accelops.net,[event.name]=login_success,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_success,1,45.79.100.103,
Logon Failure
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:
[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,
[id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_
type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=2016-
09-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,
[event.type]=login,[actor.email]=api1@accelops.net,[etag]=""6KGrH_
UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_
type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_
failure,1,45.79.100.103,
Create User
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:
[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,
[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,
[event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye,
[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS,
[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,
[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_
SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,
Delete User
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.79.100.103,
Move User Settings
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[event.parameters.NEW_VALUE]=/,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,