Skip to main content

G Suite Auditor

This Integration is part of the GsuiteAuditor Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

G Suite Auditor is an integration that receives audit logs from G Suite's different applications - admin, drive, calendar, and more.

###For more information about the integration arguments:

##Google's lag time information This integration relies on Google's audit logs which are prone to some data delays. Some results may be partial if data had not arrived due to lag times. The lag time changes depending on the used audit log (from near real-time up to 3 days). For more information - https://support.google.com/a/answer/7061566?hl=en

Configure G Suite Auditor on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for G Suite Auditor.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Admin emailTrue
    User's Service Account JSONTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gsuite-activity-search#


Retrieves a list of activities for a specific customer's account and application.

Base Command#

gsuite-activity-search

Input#

Argument NameDescriptionRequired
user_keyProfile ID or the user email for which the data should be filtered. Can be 'all' for all information, or 'userKey' for a user's unique Google Workspace profile ID or their primary email address.Optional
application_nameApplication name for which the events are to be retrieved. Possible values are: access_transparency, admin, calendar, chat, drive, gcp, gplus, groups, groups_enterprise, jamboard, login, meet, mobile, rules, saml, token, user_accounts, context_aware_access, chrome, data_studio, keep.Required
event_nameThe name of the event being queried. For a list of event names for each application, see the integration documentation.Optional
filtersA comma-separated list of event parameters and relational operators. For example-
'API_CLIENT_NAME==111,API_SCOPES=aaa'.
The relevant 'event name' argument must be supplied to use this argument.
Optional
org_unit_idID of the organizational unit to report on. Activity records will be shown only for users who belong to the specified organizational unit.Optional
group_idComma-separated group IDs on which user activities are filtered.
The response will contain activities for only those users who are a part of
at least one of the group IDs mentioned here. For example: "id:abc123,id:xyz456".
To retrieve a group ID, use the 'gsuite-get-group' command in the 'G Suite Admin' pack.
Optional
actor_ip_addressIP address of the host where the event was performed.Optional
start_timeThe beginning of the time range shown in the report. For example - 2010-10-28T10:26:35.000Z.Optional
end_timeThe end of the time range shown in the report. For example - 2010-10-28T10:26:35.000Z.Optional
max_resultsMaximum number of results to return. Default is 50.Optional
page_tokenThe token to specify the next page.Optional
admin_emailEmail address of the G Suite domain admin. The request is preformed based on this user's permissions.Optional

Context Output#

PathTypeDescription
GSuite.ActivitySearch.items.id.timeDateTime the activity occurred.
GSuite.ActivitySearch.items.id.uniqueQualifierStringUnique qualifier if multiple events have the same time.
GSuite.ActivitySearch.items.id.applicationNameStringApplication name to which the event belongs.
GSuite.ActivitySearch.items.id.customerIdStringThe unique identifier for a Google Workspace account.
GSuite.ActivitySearch.items.actor.callerTypeStringThe type of actor.
GSuite.ActivitySearch.items.actor.keyStringCan be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts.
GSuite.ActivitySearch.items.events.typeStringType of event.
GSuite.ActivitySearch.items.events.nameStringName of the event.
GSuite.ActivitySearch.items.events.parameters.nameStringThe name of the parameter.
GSuite.ActivitySearch.items.events.parameters.valueStringString value of the parameter.
GSuite.ActivitySearch.items.actor.emailStringThe primary email address of the actor.
GSuite.ActivitySearch.items.actor.profileIdStringThe unique Google Workspace profile ID of the actor.
GSuite.ActivitySearch.items.ipAddressStringIP address of the user performing the action.
GSuite.ActivitySearch.items.events.parameters.boolValueBooleanBoolean value of the parameter.
GSuite.ActivitySearch.items.events.parameters.multiValueStringString values of the parameter.
GSuite.PageToken.ActivitySearch.nextPageTokenStringToken to specify the next page in the list.

Command Example#

!gsuite-activity-search application_name=admin max_results=2

Context Example#

{
"GSuite": {
"ActivitySearch": [
{
"actor": {
"callerType": "KEY",
"key": "SYSTEM"
},
"events": [
{
"name": "USER_LICENSE_REVOKE",
"parameters": [
{
"name": "USER_EMAIL",
"value": "user@email.com"
},
{
"name": "PRODUCT_NAME",
"value": "Google Workspace"
},
{
"name": "OLD_VALUE",
"value": "G Suite Business"
}
],
"type": "LICENSES_SETTINGS"
}
],
"id": {
"applicationName": "admin",
"customerId": "11111",
"time": "2021-07-27T02:47:20.894Z",
"uniqueQualifier": "-7168880636905757919"
}
},
{
"actor": {
"callerType": "USER",
"email": "admin@email.com",
"profileId": "103020731686044834269"
},
"events": [
{
"name": "DELETE_USER",
"parameters": [
{
"name": "USER_EMAIL",
"value": "user@email.com"
}
],
"type": "USER_SETTINGS"
}
],
"id": {
"applicationName": "admin",
"customerId": "1111",
"time": "2021-07-27T01:47:40.585Z",
"uniqueQualifier": "-4797090398870165525"
},
"ipAddress": " "
}
],
"PageToken": {
"ActivitySearch": {
"nextPageToken": "A:1627350460585000:-4797090398870165525:207535951991:C02f0zfqw"
}
}
}
}

Human Readable Output#

Next Page Token: A:1627350460585000:-4797090398870165525:207535951991:C02f0zfqw#

Total Retrieved Activities: 2#

TimeApplication NameEmailProfileIdIpAddressEvents
2021-07-27T02:47:20.894Zadmin{'type': 'LICENSES_SETTINGS', 'name': 'USER_LICENSE_REVOKE', 'parameters': [{'name': 'USER_EMAIL', 'value': 'user@email.com'}, {'name': 'PRODUCT_NAME', 'value': 'Google Workspace'}, {'name': 'OLD_VALUE', 'value': 'G Suite Business'}]}
2021-07-27T01:47:40.585Zadminadmin@email.com103020731686044834269-{'type': 'USER_SETTINGS', 'name': 'DELETE_USER', 'parameters': [{'name': 'USER_EMAIL', 'value': 'user@email.com'}]}