If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Google G-Suite provides a broad set of office applications as document management, web mail, presentation creation and more. Google G-Suite services are delivered as a cloud service. Google G-Suite helps organizations move faster with infinite scalability and lower cost for their office applications needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Google G-Suite account
- Retrieve the Google G-Suite account activities as users’ access, permissions changes, files are uploaded and shared, security changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in Google G-Suite account
What is it
SkyFormation Cloud Connector for Google G-Suite, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Google G-Suite account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Google G-Suite retrieves the events from the Google G-Suite service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Google G-Suite Audit Sources & Events Supported
|API Availability (per app license)||Service/Module Covered||Event Types||Events included|
|Login Activity||G Suite Basic, Business, Enterprise, Education and Government accounts||Access||login, logout||Represents login related events as login success, login failure, logout etc|
|Admin Activity||G Suite Basic, Business, Enterprise, Education and Government accounts||Application Settings||APPLICATION_SETTINGS||Represents changes in the application settings in the admin console|
|Google Calendar Settings||CALENDAR_SETTINGS||Represents changes in the calendar settings in the admin console|
|Google Chat||CAHT_SETTINGS||Represents changes in the chat settings in the admin console|
|Chrome OS||CHROME_OS_SETTINGS||Represents changes in the chrome OS settings in the admin console|
|Google Contacts||CONTACTS_SETTINGS||Represents changes in the contacts settings in the admin console|
|Delegated Admin||DELEGATED_ADMIN_SETTINGS||Represents changes in the delegated admin settings in the admin console|
|Google Docs||DOCS_SETTINGS||Represents changes in the google docs settings in the admin console|
|Domain||DOMAIN_SETTINGS||Represents changes in the domain settings in the admin console|
|Gmail||EMAIL_SETTINGS||Represents changes in the gmail settings in the admin console|
|Google Groups||GROUP_SETTINGS||Represents changes in the groups settings in the admin console|
|Licenses||LICENSES_SETTINGS||Represents changes in the licenses settings in the admin console|
|Mobile Devices||MOBILE_SETTINGS||Represents changes in the mobile settings in the admin console|
|Organization||ORG_SETTINGS||Represents changes in the organization settings in the admin console|
|Security||SECURITY_SETTINGS||Represents changes in the security settings in the admin console|
|Google Sites||SITES_SETTINGS||Represents changes in the sites settings in the admin console|
|System||SYSTEM_SETTINGS||Represents changes in the system settings in the admin console|
|User||USER_SETTINGS||Represents changes in the user settings in the admin console|
G Suite Business, Enterprise, Education and Government accounts
|File/Folder Access||create/edit, upload/download, view/preview,print, rename, move,delete/trash etc||Represents activities related to files and folders as create, delete, upload etc|
|File/Folder ACL||acl_change_event||Represents changes to the file/folder permissions as sharing a file with the public|