Groups Audit Explained

GAT supports a separate audit for Groups. The purpose of this audit is two-fold. It will report on the ownership, membership and access rights for each group, along with details like aliases, managers etc.  It can also be used to detect and report new or changed groups. These are important security features.

An admin can easily have an overview of all groups based on the members.

You can select on each individual field and it will be redirected to the tab where result was gathered from. You can search and filter by a range of criteria

You can manage the groups directly from within GAT+ just export, edit and import.

You can also see every detail regarding the group right away. Just select the ‘eye’ icon and it will display all the details. Group details, list of members and events related to the group.

An admin can also perform other actions on the group selected, like show members, copy or delete the group.

You can also view the group members and last event by member of the group.

Events tab will display actions occurred to a group like by which user to what group and the event happened.

Last Used will display last actions performed into a group, based on last used in File, Email and Calendar.

How to Save Your GAT Searches for Later Use

One of the nice things about the General Audit Tool is that you can build detailed and complex searches. These searches can then be saved for use as audits, policy checks, or simply to be used again to save time.

In the screenshots below, we will be building a search for all documents owned by members of the group ‘sales’, however, we want to exclude the member of the group called ‘Robert’.

To achieve this we can go to Drive audit, in the Files tab and just apply the custom filter.

We select the Type of the search to be for User / Group / OU Search, we select the name of the group and the files owned by them, then we exclude documents where the owner is ‘Robert’, then simply select ‘Apply & Save’.

This will save this search for future references and we can apply this search again and edit.
We can simply export the data into a spreadsheet.

We can also create and schedule a report that can be run on a weekly or daily basis.

How to Enable Screenshots For Users

If you intend to receive screenshot attachments via email of users screens when Shield Alert Rules are triggered then you need to enable screenshots within the G Suite Admin Console.

To enable screenshots:

  1. Using your super admin-level credentials, log into the Google Admin console at
  2. Click on Device Management.

3. Click on Chrome Management, under the Device Settings heading on the left side of the screen.

4. Click on User Settings.

5. Select an OU containing users who you want to receive screenshots from.

6. Scroll to the Content heading and Enable screenshot.

How to Restore Deleted Files

Admins, did you know Google now lets you restore deleted files?

This really useful facility is now available under the Admin panel, Manage User Accounts section.

Here are the general rules …

  • You can restore files for one user at a time on each user’s page.
  • You can select a date range to restore files from up to 25 days ago.

  • If a user provides others with access to any Drive item, when you restore that item, the access is not restored. The user can re-enable access as needed.

Unfortunately, the restoration tool is a little broad, allowing you only to select a date range for each user.

GAT can help you locate the files you need, identify if they were there in the first place and not just a share and allow you to greatly narrow the date range you might need to look at.

The metadata for Deleted files can be found by simple search in GAT+ (see below)

From the day you installed GAT, it is tracking not only the files in ‘Trash’ but also all files removed from ‘Trash’. Files removed from trash were up until now, permanently deleted, however, GAT always kept their metadata records for you to search.

When you click “Show stats for current filter” files are shown as 0, mind you the ‘0’ file count is only ‘0’ because by default the search is always on for ‘Docs not deleted’, which means in this positive search ‘files deleted’ is always zero.

Looking at all files deleted helps you identify who actually owned the missing files, something that is not always apparent to users of Google Drive. Last Updated date helps you identify the date they were deleted.

Conduct Payment Card Industry Data Security Standard (PCI DSS) Compliance Testing

GAT lets G Suite Admins search all Domain-wide email folders and email contents and attachments with the same ease it lets you search Domain-wide Drive folders and contents.

This is like a Gmail UI search but applied to all or some of your accounts. You can use all the search parameters described here.

The string below is the suggested opening search string for Payment Card Industry Data Security Standard (PCI DSS) compliance testing using GAT+.

(See our third-party risk assessment post addressing PCI DSSP)

Cut and paste into the ‘Gmail Search’ tab of Email audit. You may add or subtract from the list as appropriate, to a max of 1024 characters. Should you need a longer search string, use 2 searches.

‘Amex’ OR “American Express” OR ‘Mastercard’ OR ‘Visa’ OR ‘Discover’ OR “Diner’s Club” OR “Diners Club” OR ‘JCB’ OR ‘CCV’ OR ‘CID’

You will notice the string above is starting inside a bracket. This is because the full string set of strings can also be enclosed in brackets as follows:

(‘Amex’ OR “American Express” OR ‘Mastercard’ OR ‘Visa’ OR ‘Discover’ OR “Diner’s Club” OR “Diners Club” OR ‘JCB’ OR ‘CCV2’ OR ‘CID’)  

Allow some time for the search to finish, in particular for larger domains.  Searches may be confined to users, groups or OU’s to improve on-screen interaction, domain-wide (and all another type) searches may be run as scheduled jobs.

In our case, we search for the whole domain and its sub-OU.

When the scan is finished click on the green button in actions  to examine the returned results

This search ‘context’ remains in force for all subsequent filter operations. It can be further refined with any of the many other filters available.

Full-text search in the General Audit Tool happens without email extraction. This means your data never leaves your domain, the search is passed in for Google to complete. Only the metadata of emails with potential hits are passed back out. This is by far the most secure method of third-party testing for PCI compliance and means credit card details or other confidential information is not passed out to the third party and thus avoids lengthening the chain of vulnerability.

This method is also suitable for abusive language, bullying language or any other context searches.

How to Find the Number of Emails Each User Sent and Received in a 24 Hour Period

Using the G Suite Admin Console or Google Vault it’s a difficult task for a super admin to find all of the emails sent or received by the entire organization or sub-group of users in a clear and readable way. That’s why the Email auditing in GAT+ is so important. For any filter you create, you can see who was involved with sending or receiving of those emails.

From the GAT+ side-menu go to the email audit section.

While in the first tab.

Click on the ‘Apply custom filters’ button.

Add the dates to capture the previous 24 hour period.

In the search definition area, the following search parameters were applied.

Sent date after or equal MM/DD/YYYY HH:MM


Received date before or equal MM/DD/YYYY HH:MM

Once you have selected the look-back period, apply the filter. In the above example, we looked back one day, you can have your custom look back cover a date range you need to audit.

Now when the filter is applied, click on the ‘Sender/Receiver’ tab, the filter will be carried over to this area!

The first table will show you the number of emails sent from your domain’s users.

The second table shows the number of emails each local user received (including, cc’s and bcc’s).

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

The fourth and last table will show you the external receivers and how many emails they received in the last 24 hours.

You can export each table to see further details.

How to Restrict the Audit Tool Use to a Select Few

Auditing for all Org Units(Only affects domains with GAT in a sub-OU)

In the beginning, Google recommended that to restrict app use to a select few, you should create an OU for those chosen to run the app and then make the app available only to those in that OU. General Audit Tool followed this procedure and this was our recommended method of restricting GAT access. With the arrival of OAuth2, applications in sub-OU’s only have authority for some audit features over the users in that sub-OU. This is impacting GAT’s ability to report domain-wide. To solve this problem we recommend you set the following.

For GAT+ to work properly and allow the Admin to Audit their domain.
We recommend GAT to be installed domain-wide, and full access to be granted.

This will enable auditing of all users on the domain for details like Google+, Drive, Email etc.
The access to the tool can be restricted by following the steps below.

On the GAT homepage (Old UI) select ‘Configure GAT’ option

Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.

GAT will now only be available to Super Admins, security officers and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.

See here to learn about Delegated Audits to auditors who are not Admin staff.

How to Find All Emails for a Gmail User

When GAT+ is installed, our system begins to index all of the emails in every account covering a period of 28 days (4 weeks) prior to the install date. This helps us build up some statistics so you can view recent trends. We then index every email going forward indefinitely.

In cases where you need to search for emails older than 28 days from the date of GAT+ install you can use the real-time search called Gmail Search in GAT+.

Search the entirety of any users mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).

You can exclude “chats” if you use “in:anywhere -in:chats” if you wish to narrow down the search to a specific period use the following search operators after:YYYY/MM/DD and/or before:YYYY/MM/DD. Alternatively, you can use older_than:5d or newer_than:30d.

So the full search term might look like this “in:anywhere -in:chats after:2019/03/01 before:2019/03/31 is:read”. View the full list of search operators available.

The search may take quite some time especially if you’re dealing with thousands of emails.

When the Start Search button is pressed, this will redirect you to the Recent tab. In this tab, you will see the status of all your email searches.

After the search completes, you can select the green check mark and all emails for this user will be displayed.

Once the results are shown, you can add and build new filters on the top of the current search. To find specific emails or examine the totality of that user’s activity.

To add additional filters on top of this real-time search, click on the Apply custom filter button.

One example of using the Apply custom filters in Gmail Search is to narrow down the above search to find only emails with more than 2 email attachments.

You can always return to Gmail Searches you had previously done and remove them from the listing.

In conclusion, Gmail Search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed. If your email audit does not require up to the minute information I would recommend sticking with scan based searches within the Emails tab.

Detailed Reporting Control for Mobile Devices

GAT+ now has much more detailed reporting and control for Mobile Devices.
Admins can quick assess the status of any mobile device attached to their G Suite Domain.

Audit and Policy for Google Apps

With the GAT+  you can audit and set policies for additional apps running in your Google Apps environment. These third-party G Suite apps are given permission to access user data via API access which users enable once installing those apps.

GAT+ provides two different audit areas to analyze this information.

In User audit, Application Tab.

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

You can then search for any user, group or OU to focus on a subset of users. This will list by email and name showing the number of apps each user has granted API access to. You can click on the Apps column heading to sort by the number of apps installed for each user. Clicking on the number in this column takes you directly through to the Applications audit section to view further details.

For more of an in-depth look of 3rd party apps navigate to Applications audit section.

The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

Low –  Is where the applications require just the basic access, the medium is where more access is required.

High – Is where full access is required like access to drive content, email content, and directory contacts.

From this page, you can search for apps under a wide range of criteria. For any given app you can set a number of policy conditions, these are for both enforcement and classification.

Apps can be:

  • Banned
  • Trusted

You can Ban an application for individual users by entering their email addresses or you can use Google Groups or Organisation Units to cover multiple users at once. A Ban policy will prevent the cloud-based application from gaining access to the API permission it once had. GAT+ will block these privileges from being accessed.

Note: Users can manually enable these permissions again once the app is launched. GAT+ will detect this and disable those permissions once more.

A single app can be both partially banned and partially trusted.

All other apps remain unclassified.

To create a policy for an application, click on the ‘+’ button.

The default policy setting is ‘Ban’. Select which users will be covered by this policy. When the policy is ready click ‘Save’ to have it enforced.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.