Daily User Activity Gmail Report

G Suite super admins regularly are tasked with generating daily user statistics for emails sent or received by each user taking into consideration emails sent by users using account aliases.

GAT+ makes this possible by reporting on this activity and allowing admins to configure a daily report.

On the right hand side click on the ‘Apply custom filter’ button to define the scheduled report.

Select ‘Stats By Date Range and Users’, select the current day and the next day. You can narrow down the scope by selecting a group or user Org unit.

Once you select the Scheduled box additional options will appear. Make the occurrence ‘Every day – after midnight’. Check the Enabled checkbox and send the report to multiple super admins or users if you wish. Finally, click the ‘Apply and Schedule’

The scheduled report will generate a Google Spreadsheet every day after midnight showing you all of the email activity since the previous day.

How to Enable Screenshots For Users

If you intend to receive screenshot attachments via email of users screens when Shield Alert Rules are triggered then you need to enable screenshots within the G Suite Admin Console.

To enable screenshots:

  1. Using your super admin-level credentials, log into the Google Admin console at admin.google.com.
  2. Click on Device Management.
Click on "Device Management" in the console

3. Click on Chrome Management, under the Device Settings heading on the left side of the screen.

3. Click on Chrome Management, under the Device Settings heading on the left side of the screen.

4. Click on User Settings.

Click on "User Settings" in the "chrome" section.

5. Select an OU containing users who you want to receive screenshots from.

Select an OU containing users who you want to receive screenshots from.

6. Scroll to the Content heading and Enable screenshot.

Scroll to the Content heading and Enable screenshot.

‘Role’ Reporting in the Users Audit

GAT+ has added ‘Role’ reporting to the Users Audit. This will be particularly helpful to Admins of large domains, who have many delegated admin users performing different roles.

Google Drive: Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to GAT’s Google Drive audit. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

However, we can refine our Google Drive searches even further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

Report on the Active Count of 2FA codes

GAT+ can report on the active count of 2FA codes within the security tab of User Audit. This reflects the active number of 2FA codes which are available for each user.

In the Configuration section under Alarms, create an alarm for 2FA codes being used by your users. In the example below any 2FA codes being used by users from /Marketing OU will trigger an alarm to the super admin.

Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.

 

To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

Login Tracking and Alerting

G Suite through their APIs can provide all login activity over a 180 day period. GAT takes advantage of these API capabilities and combined with some other security data, such as 2 Factor Authentication status we have now enabled a security report for users.

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

 

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

If you have a large domain it becomes difficult to identify users who have not logged in for a long time so using the ‘Apply custom filter’ button you can filter search for users who have not logged in for the last 3 months or 6 months if you wish.

Edit the security filters tab.

You may find this post about how to get alerted every time a user disables two-factor authentication useful.

How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.


This is the message the end user will see. The email will show him all of the files he/she owns.

This is the message the end user will see. The email will show him all of the files he/she owns.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

How to Create a Report About Devices Not Synced Within the Last 30 days

This report will show us which mobile devices are no longer synced with our domain.

The report will produce a list of mobile devices which have not synced in over 30 days.

On the GAT Home page, select “Mobile Devices”  

select 'mobile devices'

On the top right-hand side of the screen, click on the familiar ‘Apply custom filter’ button.

click on the ‘Apply custom filter’ button.

We select “Last sync” before or equal to the 1st day of the last month.
Schedule the report to run monthly.
The example above shows us a report for all devices that have “Last synced” more than a month ago.
GAT+ will automatically change the date on the next scan next month and every report will give you data for the previous month.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter

 

Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).