Out of Hours Email Activity Reporting with GAT+

In France, the legal length of the working week is 35 hours in all types of companies with more than 50 employees. The working day may not exceed 10 hours. Furthermore, employees may not work for more than 4.5 hours without a break. The maximum working day may be extended to 12 hours under a collective agreement.

If you wish to enforce this policy throughout your organization you can utilize GAT Shield. Let’s presume you already know about Shield and utilize it within your organization.

You have the ability as a super admin to enforce the French working hours after getting proper approval from your management team.

Navigate to the Configuration area of GAT Shield. In the Login Control section.

Now, I will create a time frame window outside of this time frame users on my domain won’t be allowed to log into their G Suite account to check emails or other cloud services.

The below example covers 9AM to 7PM.

Login time window (from): 0 0 9 1/1 * ? *

Login time window (to): 0 0 19 1/1 * ? *

This means my employees can log in and do their work from 9AM to 7PM after which they will be blocked.

If you don’t wish to block entry into the account when users are out of hour you can report on your employee’s activities using GAT Shield User Activity section. This will show you when a user was active and what sites they went to throughout a given day.

Report on the Active Count of 2FA codes

GAT+ can report on the active count of 2FA codes within the security tab of User Audit. This reflects the active number of 2FA codes which are available for each user.

In the Configuration section under Alarms, create an alarm for 2FA codes being used by your users. In the example below any 2FA codes being used by users from /Marketing OU will trigger an alarm to the super admin.

Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.

 

To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

Alert of Disabled 2 Factor Authentication

Go to the Alarm area in GAT+.

select 'alarms'

You can enable the option ‘Alert on 2FA disabled’. This alarm is fired whenever a user or an Admin disables an account’s 2FA mechanism when it had been working. For organizations that depend on high levels of security, this is a vital alarm to alert Admins to dangers.

see alarm details and edit them as needed.

You can also get alerted when 2FA codes are used by users.

Login Tracking and Alerting

G Suite through their APIs can provide all login activity over a 180 day period. GAT takes advantage of these API capabilities and combined with some other security data, such as 2 Factor Authentication status we have now enabled a security report for users.

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

 

From the home page click on the ‘Users’, then the ‘Security’ tab here you can analysis which users don’t have 2FA turned ON and when they last login and when they enter their passwords incorrectly.

If you have a large domain it becomes difficult to identify users who have not logged in for a long time so using the ‘Apply custom filter’ button you can filter search for users who have not logged in for the last 3 months or 6 months if you wish.

Edit the security filters tab.

You may find this post about how to get alerted every time a user disables two-factor authentication useful.

How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.


This is the message the end user will see. The email will show him all of the files he/she owns.

This is the message the end user will see. The email will show him all of the files he/she owns.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

How to Clean Up Public Links with GAT

When users share files to an external user from their Google Drive via Gmail, they have the following options:

insert files using drive

They can make the external user an viewer/reader of the file(s) or they can decide whether to share the file(s) via the public link.

They can make the external user an viewer/reader of the file(s) or they can decide whether to share the file(s) via the public link.

One security weakness with this method of sharing is that Google does not allow the file owner to track file usage, either by the intended recipient or other parties if the sharing with link option is selected.

Steps to remediate these shares

Select the User, Group or OU long search in Drive audit.

We are using the example /Support OU as an arbitrary search and we are including its sub-OUs and we will only showing the files owned by the members of the OU by selecting Owned option. If Owned option is left unchecked the search will return all files which members of the OU can view/edit or own.  

Select the User, Group or OU long search in Drive audit.

When we select ‘Request’ the long search will begin.

When we select ‘Request’ the long search will begin.

After we pull the search results, we can select “Show stats for current filter” and select “Open to public with link” to only focus on that exposure type.

select “Show stats for current filter” and select “Open to public with link” to only focus on that exposure type

You can immediately take action on files ‘open to public with link’ and remove these shares. To do this you can click File Operations and select Remove permissions.

click File Operations and select Remove permissions.

When the menu appears, select the following option ‘Remove Only the following External Shares’ and enter everyone with link. This will remove the public with link files for /Support OU.

When the menu appears, select the following option ‘Remove Only the following External Shares’ and enter everyone with link.

The above feature also allows you to send a custom message to notify the owners of these files.

Google Cloud Print Auditing

Using GAT+ it’s possible as an  Admin to audit your domain’s cloud print environment.

From the ‘Home Page’, selecting ‘Printers’ will take you to the printer queue audits.

From the ‘Home Page’, selecting ‘Printers’

Once  there you have the usual wide range of GAT search selection criteria

 search selection criteria.

GAT lets you search under a wide range of search options.

GAT lets you search under a wide range of search options.

You can see all “Printer jobs”

 

Enter the Printer jobs tab to see all queued and completed prints, here you can view details of the print. For each print job, you will see the email of the user who initiated the print, date of the print job and the title of the file.

There is an option to remove the print job if its still in the print queue.

select to remove print job

In User audit, Print tab you will see full details of the print jobs by your users summarized.

In User audit, Print tab you will see full details of the print jobs by your users summarised.

Here you can sort your users by details such as the number of jobs printed, printers they have access to, last time they printed, etc.

With GAT Google Cloud Print audit another important data leakage gap has been closed, information leaving the premises in hard copy. In-house printers are of course covered by local printer server management and audit software, but Cloud Print opened up a new avenue allowing direct printing to any chrome enabled PC with a printer. This printing was ‘off the radar’ until now.

Auditing Cloud Print also fills an important accounting need for educational organizations who have adopted Cloud Print widely. This will allow Admins to allocate costs appropriately.

Create a daily report of files shared internally

As super admins, we are interested in what files are shared in or out of our domain but it can also be quite interesting to see what documents are being shared internally. This is quite easy with the GAT+.

In Drive Audit, click on the apply custom filters button.

In Drive Audit, click on the apply custom filters button.

Select the following search parameters in the filter selection area.

Select the following search parameters in the filter selection area.

Select 'apply & schedule'

Note: We selected a time period since the files were last updated.
In our case since yesterday. Then we schedule the report to run daily.
This report will show us data for all files shared internally within our domain on a daily basis for each previous day going forward.

The date will be changed automatically to run a new search for files shared internally on the next day and so on.