How to Enable Screenshots For Users

If you intend to receive screenshot attachments via email of users screens when Shield Alert Rules are triggered then you need to enable screenshots within the G Suite Admin Console.

To enable screenshots:

  1. Using your super admin-level credentials, log into the Google Admin console at admin.google.com.
  2. Click on Device Management.

3. Click on Chrome Management, under the Device Settings heading on the left side of the screen.

4. Click on User Settings.

5. Select an OU containing users who you want to receive screenshots from.

6. Scroll to the Content heading and Enable screenshot.

Delegate access to your Gmail account

GAT+ allows Admins to delegate access for a User account to another User for a certain period of hours. This may be for business purposes but it is also facilitates the fast search and viewing of all the account emails via another user’s browser.

BEFORE USING: Please ensure email delegation is allowed for users in your domain. Go to the G Suite Admin Console and under Apps > G Suite Apps > Settings for Gmail check if the email delegation box is allowed for your domain.

Launch the GAT+ tool, enter the User Audit section and click on the Email Info Tab.

In the Email Info Tab, select any user and click on the Actions button to add an email delegate to their account. 

You have the ability to remove existing mail delegation which are already in place as well. 

Here the Admin can select the account they wish to gain access to, then select the account they want to give this access to and finally select the number of hours they would like delegated access to be granted for. Once the request is sent, the Security Officer will still have to approve before the delegation is created.

Once granted the delegated account appears in the accounts drop down list when the profile picture is selected in Gmail. 

The delegation will automatically be revoked after the requested time period.

Note: If during the period of delegation, the account under audit, logs into their Google account and goes to their email settings, then under ‘Accounts’ the account owner will see that the Admin has granted delegated access to the account.

In addition if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

Access Scope of Delegated Auditors

Education, business and enterprise domains usually have a few G Suite super admin roles within their organization. For security reasons, they may want to delegate responsibilities to other users to have super admin like privileges within GAT+ or GAT Shield without having G Suite super admin roles. This is why its critical for them to have a feature called Delegated Auditors that allows them to distribute responsibilities to normal users while securing the number of users who have access to the G Suite Admin Console.

Delegated Auditor has very similar scopes comparable to super admin within GAT+.

They have full access to all of the Auditing areas.

In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.

  • They can modify permissions/download files/view file content.
  • They can download emails, view emails and remove emails from users Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.

In Drive Audit they can’t use the Remove Permissions functionality yet. We will let you know when this feature is available to them as well.

Currently, Delegated Auditors will not have access to the Configuration areas unless they are a Security Officer then they will only see the SO section.

Future Improvements: In the coming weeks, we will be releasing features that give Super Admins more controls the scopes of delegated auditors. Super Admins will have the option to switch on certain areas of Configuration section, it will be up to the super admin’s own discretion.

‘Role’ Reporting in the Users Audit

GAT+ has added ‘Role’ reporting to the Users Audit. This will be particularly helpful to Admins of large domains, who have many delegated admin users performing different roles.

Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

 

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to the Drive audit in GAT+. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

 

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

 

However, we can refine this further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.

 

To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

Login Tracking and Alerting

G Suite through their APIs can provide all login activity over a 180 day period. GAT takes advantage of these API capabilities and combined with some other security data, such as 2 Factor Authentication status we have now enabled a security report for users.

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

 

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

If you have a large domain it becomes difficult to identify users who have not logged in for a long time so using the ‘Apply custom filter’ button you can filter search for users who have not logged in for the last 3 months or 6 months if you wish.

Edit the security filters tab.

You may find this post about how to get alerted every time a user disables two-factor authentication useful.

How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.


This is the message the end user will see. The email will show him all of the files he/she owns.

This is the message the end user will see. The email will show him all of the files he/she owns.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

How to Create a Report About Devices Not Synced Within the Last 30 days

This report will show us which mobile devices are no longer synced with our domain.

The report will produce a list of mobile devices which have not synced in over 30 days.

On the GAT Home page, select “Mobile Devices”  

select 'mobile devices'

On the top right-hand side of the screen, click on the familiar ‘Apply custom filter’ button.

click on the ‘Apply custom filter’ button.

We select “Last sync” before or equal to the 1st day of the last month.
Schedule the report to run monthly.
The example above shows us a report for all devices that have “Last synced” more than a month ago.
GAT+ will automatically change the date on the next scan next month and every report will give you data for the previous month.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter

 

Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).