If you’re having trouble at any stage please contact us at support@skyformation.com.
Preface
Google G-Suite provides a broad set of office applications as document management,
web mail, presentation creation and more. Google G-Suite services are delivered
as a cloud service. Google G-Suite helps organizations move faster with infinite
scalability and lower cost for their office applications needs. But at the same
time, the public cloud Software as a Service (SaaS) model presents the organization
with new security challenges. <br>
<br>
The main challenges and needs are to:
-
Get and retain full audit of activities in Google G-Suite account -
Retrieve the Google G-Suite account activities as users' access, permissions changes, files are uploaded and shared, security changes and more. -
The granular activities should be available at the organization's central log or event management system for compliance, investigation or forensic needs. -
Detect security threats and policy violations in Google G-Suite account
What is it
SkyFormation Cloud Connector for Google G-Suite, is part of the SkyFormation
Cloud Connectors module. It continuously ingests audit events from multiple audit
sources in the Google G-Suite account, unify the events into a common application
events format, enrich the events with needed detection context and send the events
to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Google G-Suite retrieves the events from the
Google G-Suite service through the service APIs. Before sending the events to
the existing SIEM/SOC system the connector will
-
Unify the events into the SkyFormation unified application events format - Embed the origin event into the SkyFormation event
- Complement the event with missing information
-
Enrich the event with detection context as AD identity information - Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Google G-Suite Audit Sources & Events Supported
| Endpoint (API datasource) | API Availability (per app license) | Service Documentation | Event Types |
|---|---|---|---|
| Reports API - login | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login | login-sucess, login-failed, logout |
| Reports API - admin | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/admin-event-names | general-settings-updated, ownership-transferred, user-added, user-deleted, user-undeleted, user-updated, user-invited, user-invite-canceled, user-suspended, user-unsuspended, authz-group-created, authz-group-cloned, authz-group-deleted, authz-group-replaced, authz-group-renamed, password-reset, mobile-device-approved, mobile-device-blocked, mobile-device-wiped, mobile-device-deleted, mobile-device-unwiped, mobile-settings-updated, integration-added, integration-deleted, password-policy-updated, authn-settings-updated |
| Reports API - calendar | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/calendar | audit-event |
| Reports API - drive | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | authz-group-assigned, authz-group-unassigned, permissions-updated, resource-acl-updated, resource-created, resource-deleted, resource-viewed, resource-content-updated, resource-renamed, resource-uploaded, resource-downloaded |
| Reports API - gplus | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gplus | audit-event |
| Reports API - groups | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | audit-event |
| Reports API - mobile | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile | audit-event |
| Reports API - rules | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/rules | audit-event |
| Reports API - saml | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml | audit-event |
| Reports API - token | G Suite Basic, Business, Enterprise, Education and Government accounts | https://developers.google.com/admin-sdk/reports/v1/appendix/activity/token | api-token-created, api-token-revoked |
| Gmail Logs | G Suite Enterprise and G Suite Enterprise for Education | https://support.google.com/a/answer/7233312?hl=en | resource-event |
Comments
0 comments
Please sign in to leave a comment.