If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
Google G-Suite provides a broad set of office applications as document management, web mail, presentation creation and more. Google G-Suite services are delivered as a cloud service. Google G-Suite helps organizations move faster with infinite scalability and lower cost for their office applications needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Google G-Suite account
- Retrieve the Google G-Suite account activities as users’ access, permissions changes, files are uploaded and shared, security changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in Google G-Suite account
What is it
SkyFormation Cloud Connector for Google G-Suite, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Google G-Suite account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Google G-Suite retrieves the events from the Google G-Suite service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Google G-Suite Audit Sources & Events Supported
| API (aka end-point) |
API Availability (per app license) | Service/Module Covered | Event Types | Events included |
|---|---|---|---|---|
| Login Activity | G Suite Basic, Business, Enterprise, Education and Government accounts | Access | login, logout | Represents login related events as login success, login failure, logout etc |
| Admin Activity | G Suite Basic, Business, Enterprise, Education and Government accounts | Application Settings | APPLICATION_SETTINGS | Represents changes in the application settings in the admin console |
| Google Calendar Settings | CALENDAR_SETTINGS | Represents changes in the calendar settings in the admin console | ||
| Google Chat | CAHT_SETTINGS | Represents changes in the chat settings in the admin console | ||
| Chrome OS | CHROME_OS_SETTINGS | Represents changes in the chrome OS settings in the admin console | ||
| Google Contacts | CONTACTS_SETTINGS | Represents changes in the contacts settings in the admin console | ||
| Delegated Admin | DELEGATED_ADMIN_SETTINGS | Represents changes in the delegated admin settings in the admin console | ||
| Google Docs | DOCS_SETTINGS | Represents changes in the google docs settings in the admin console | ||
| Domain | DOMAIN_SETTINGS | Represents changes in the domain settings in the admin console | ||
| Gmail | EMAIL_SETTINGS | Represents changes in the gmail settings in the admin console | ||
| Google Groups | GROUP_SETTINGS | Represents changes in the groups settings in the admin console | ||
| Licenses | LICENSES_SETTINGS | Represents changes in the licenses settings in the admin console | ||
| Mobile Devices | MOBILE_SETTINGS | Represents changes in the mobile settings in the admin console | ||
| Organization | ORG_SETTINGS | Represents changes in the organization settings in the admin console | ||
| Security | SECURITY_SETTINGS | Represents changes in the security settings in the admin console | ||
| Google Sites | SITES_SETTINGS | Represents changes in the sites settings in the admin console | ||
| System | SYSTEM_SETTINGS | Represents changes in the system settings in the admin console | ||
| User | USER_SETTINGS | Represents changes in the user settings in the admin console | ||
| Drive Activity |
G Suite Business, Enterprise, Education and Government accounts |
File/Folder Access | create/edit, upload/download, view/preview,print, rename, move,delete/trash etc | Represents activities related to files and folders as create, delete, upload etc |
| File/Folder ACL | acl_change_event | Represents changes to the file/folder permissions as sharing a file with the public |
Comments
0 comments
Please sign in to leave a comment.