Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.

 

To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

Login Tracking and Alerting

G Suite through their APIs can provide all login activity over a 180 day period. GAT takes advantage of these API capabilities and combined with some other security data, such as 2 Factor Authentication status we have now enabled a security report for users.

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

 

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

If you have a large domain it becomes difficult to identify users who have not logged in for a long time so using the ‘Apply custom filter’ button you can filter search for users who have not logged in for the last 3 months or 6 months if you wish.

Edit the security filters tab.

You may find this post about how to get alerted every time a user disables two-factor authentication useful.

How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.


This is the message the end user will see. The email will show him all of the files he/she owns.

This is the message the end user will see. The email will show him all of the files he/she owns.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

How to Create a Report About Devices Not Synced Within the Last 30 days

This report will show us which mobile devices are no longer synced with our domain.

The report will produce a list of mobile devices which have not synced in over 30 days.

On the GAT Home page, select “Mobile Devices”  

select 'mobile devices'

On the top right-hand side of the screen, click on the familiar ‘Apply custom filter’ button.

click on the ‘Apply custom filter’ button.

We select “Last sync” before or equal to the 1st day of the last month.
Schedule the report to run monthly.
The example above shows us a report for all devices that have “Last synced” more than a month ago.
GAT+ will automatically change the date on the next scan next month and every report will give you data for the previous month.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter

 

Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).

Delegate access to your Gmail account

With GAT+ Super Admins and Delegated Auditors can give a user access into another user’s Gmail account for a specified period of time after which the delegation is automatically removed. This may be for business purposes but it is also to facilitate the fast search and viewing of all the account emails via another user’s browser.

 

Note: Please ensure email delegation is allowed for users in your domain.

Go to the Google Apps Admin console and under ‘Apps’, ‘G Suite Apps’, ‘Settings for Gmail’, ‘User Settings’, check if the email delegation box is allowed for your domain.

Now launch GAT+ and enter the User Audit section.

Click on the Email Info tab. Search for the user whose Gmail account will be delegated to someone else, click on the drop-down menu and select ‘Add e-mail delegation’.

When the menu appears, enter the user who will gain access. And enter the number of hours for which this delegation and when it expires it will remove this delegation automatically.

The request will be sent to your security officer for approval, once approved the delegation will be set.

The delegated account appears in the accounts drop-down list in the user’s own Gmail account. This can take several minutes and may require a refresh. The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

Note: If during the period of the delegation, the user of the account under audit logs into their Google account and goes to their email settings, then under ‘Accounts and import’ the account owner will see that the Admin has granted delegated access to the account.

In addition, if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

Delegate one email account to another indefinitely with GAT+

With GAT+ Super Admins and Delegated Auditors can give a user access into another user’s Gmail account indefinitely.

By default Admins could delegate for any number of hours and GAT+ would automatically remove the delegation when the time was up (saves Admins having to remember to go back and remove it). Now, by using 0 hours, Admins have the option to delegate permanently.

Launch GAT+ and enter the User Audit section.

select 'users'

Click on the Email Info tab. Search for the user whose Gmail account will be delegated to someone else, click on the drop-down menu and select ‘Add e-mail delegation’.

When the menu appears, enter the user who will gain access. Leave the number of hours as 0.

select 'confirm'

A request will be sent to your security officer for approval, once approved the delegation will be set.

The delegated account appears in the accounts drop-down list in the user’s own Gmail account. This can take several minutes and may require a refresh. The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

The user accessing the delegated account will have to log out and log back in again for the delegated account to appear.

In addition, if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

How to Best Deal with Docs from Leaving Google Users

An issue that comes up from time to time is how best to deal with Google Drive documents from departing G Suite users. This is usually not a big problem if it is just one or two people leaving the Google domain, but what if you are a college with hundreds of departing students and perhaps dozens of departing staff each faculty year, how can you get to grips with such a large number? What are the documents involved? Which documents are important? You need audit tools for that.

Here we examine some ways GAT’s Drive Audit for Google Drive can help you assess the issues whether with 1,000 users are leaving or just one.

Many users leaving – what documents to deal with?

When a user is leaving, the account is usually marked ‘suspended’ while a decision is made on what to do with the contents of their Google Drive. Suspended accounts should be moved to an OU. In the example below, we have an OU called ‘Leavers’.

apply long search

Once all the suspended users are collected in a single OU they can be dealt with collectively in each of the audit areas. For this example, we are going to focus on ‘Drive’.

Select the Long Search option – then the Org Unit, select the option to include Sub.Org if any and Owned option (to ensure you return only the documents owned by the suspended users)

long search in new GAT UI

GAT new UI: drive files filters

Once the long search we find all user in Leavers OU, then we apply custom filter on top of that to locate the Shared out documents.

In this worked example, we are only interested in documents shared with other users.
What is left in the report are all the shared documents, owned by the departing users, shared internally or externally.

Finding active shared documents

As part of a further filter process, you can sort on the ‘Updated’ column, this will bring the docs that changed recently to the top, because these are active it might be more important to transfer ownership.

This will return only documents changed in those dates. You may consider older ones to be irrelevant.

These results can be saved as a spreadsheet for further analyses or passed to department heads for comment.

Once you find all documents changed in a period of time, a super admin can act upon the files and change ownership of those files using GAT Unlock feature

Internet Censorship in Schools: Block Bad Language

Amplified IT have produced a spreadsheet which is now widely used in many schools as the basis of their Reg. Ex. searches for bad or homophobic words.
We have slightly added to each of the four reg. ex. rules they published and made them available as templates for all our educational domains using GAT Shield.

Schools who use these can now apply them in Shield with just a click of a mouse. Our templates also contain many other useful examples that can be used and expanded upon by Admins.

reg ex searches

Review the words covered by the different Amplified IT templates

GAT Shield - Amplified IT Rule Templates.

Control Sharing in Team Drive: Get a List of Users’ Access to Team Drives

G Suite admins need to ensure they are fully aware and in control of who has access to thier domain’s Team Drive. You can get the list of your users’ access to different team drives in GAT+ using Drive Audit. Start off by clicking the export button and selecting Export to Google Sheet without paths.

select Export to Google Sheet without paths

 When your data is exported select the ‘Click to view’ option. Once the spreadsheet has loaded create a filter for the type heading by selecting it and then choosing ‘create a new filter view’. Then simply filter out everything except for folders. You should now be able to see all the users who have access to these team drive folders.

filter out everything except for folders