How to Save Your GAT Searches for Later Use

One of the nice things about the General Audit Tool is that you can build detailed and complex searches. These searches can then be saved for use as audits, policy checks, or simply to be used again to save time.

In the screenshots below, we will be building a search for all documents owned by members of the group ‘sales’, however, we want to exclude the member of the group called ‘Robert’.

In the screenshots below, we will be building a search for all documents owned by members of the group ‘sales’, however, we want to exclude the member of the group called ‘Robert’.

To achieve this we can go to Drive audit, in the Files tab and just apply the custom filter.

To achieve this we can go to Drive audit, in the Files tab and just apply the custom filter.

We select the Type of the search to be for User / Group / OU Search, we select the name of the group and the files owned by them, then we exclude documents where the owner is ‘Robert’, then simply select ‘Apply & Save’.

We select the Type of the search to be for User / Group / OU Search, we select the name of the group and the files owned by them, then we exclude documents where the owner is ‘Robert’, then simply select ‘Apply & Save’.

This will save this search for future references and we can apply this search again and edit.
We can simply export the data into a spreadsheet.

In the screenshots below, we will be building a search for all documents owned by members of the group ‘sales’, however, we want to exclude the member of the group called ‘Robert’.

We can also create and schedule a report that can be run on a weekly or daily basis.

We can also create and schedule a report that can be run on a weekly or daily basis.

Audit and Policy for G Suite Apps

With the GAT+  you can audit and set policies for additional apps running in your Google Apps environment. These third-party G Suite apps are given permission to access user data via API access which users enable once installing those apps.

GAT+ provides two different audit areas to analyze this information.

In User audit, Application Tab.

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

You can then search for any user, group or OU to focus on a subset of users. This will list by email and name showing the number of apps each user has granted API access to. You can click on the Apps column heading to sort by the number of apps installed for each user. Clicking on the number in this column takes you directly through to the Applications audit section to view further details.

For more of an in-depth look of 3rd party apps navigate to Applications audit section.

For more of an in-depth look of 3rd party apps, navigate to Applications audit section.
The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

Low –  Is where the applications require just the basic access, the medium is where more access is required.

High – Is where full access is required like access to drive content, email content, and directory contacts.

From this page, you can search for apps under a wide range of criteria. For any given app you can set a number of policy conditions, these are for both enforcement and classification.

Apps can be:

  • Banned
  • Trusted

You can Ban an application for individual users by entering their email addresses or you can use Google Groups or Organisation Units to cover multiple users at once. A Ban policy will prevent the cloud-based application from gaining access to the API permission it once had. GAT+ will block these privileges from being accessed.

Note: Users can manually enable these permissions again once the app is launched. GAT+ will detect this and disable those permissions once more.

A single app can be both partially banned and partially trusted.

All other apps remain unclassified.

To create a policy for an application, click on the ‘+’ button.

To create a policy for an application, click on the ‘+’ button.

The default policy setting is ‘Ban’. Select which users will be covered by this policy. When the policy is ready click ‘Save’ to have it enforced.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.

GAT Device Audits

Auditing of devices is broken into two areas

  1. ChromeOS Devices.
  2. Mobile Devices.


These two auditing areas provide a lot of control to super admins. Admins will have control over who can sync with G Suite cloud services via a mobile device. You can take actions such as blocking a certain mobile device if it’s not approved or verified. These actions can only be taken if Mobile Device Management has been enforced within your G Suite Admin Console.

Chrome OS Device Auditing

With ChromeOS Device auditing you can edit details of enrolled Chrome devices in bulk. You can locate and find a Chrome OS device very quickly and view its details like serial number and last user.

Chrome OS Device management (and hence auditing) requires an additional Chrome Management License from Google.

GAT also allows you to search Chrome OS device by both ‘ID’ and ‘Status’ as well as all the other common GAT search criteria.

One important point to note is that the user or the Admin sets the value for ‘User’ when setting up the Chrome OS device. We strongly recommend you set it to the User’s email address, that way we can link it to the other ‘User’ audits.

When the “eye” icon is selected it shows ChromeOS device details.
Two types of information are displayed

  • General
  • Hardware and OS

View the device details, including ‘MAC Address’.

Edit the device settings to the ‘User’ value to be the email address of a user on your domain, whom you want to be associated with that device.

All reports can be exported to a spreadsheet.

All reports can be scheduled to run at a set period.

Google Cloud Print Auditing

Using GAT+ it’s possible as an  Admin to audit your domain’s cloud print environment.

From the ‘Home Page’, selecting ‘Printers’ will take you to the printer queue audits.

From the ‘Home Page’, selecting ‘Printers’

Once  there you have the usual wide range of GAT search selection criteria

 search selection criteria.

GAT lets you search under a wide range of search options.

GAT lets you search under a wide range of search options.

You can see all “Printer jobs”

 

Enter the Printer jobs tab to see all queued and completed prints, here you can view details of the print. For each print job, you will see the email of the user who initiated the print, date of the print job and the title of the file.

There is an option to remove the print job if its still in the print queue.

select to remove print job

In User audit, Print tab you will see full details of the print jobs by your users summarized.

In User audit, Print tab you will see full details of the print jobs by your users summarised.

Here you can sort your users by details such as the number of jobs printed, printers they have access to, last time they printed, etc.

With GAT Google Cloud Print audit another important data leakage gap has been closed, information leaving the premises in hard copy. In-house printers are of course covered by local printer server management and audit software, but Cloud Print opened up a new avenue allowing direct printing to any chrome enabled PC with a printer. This printing was ‘off the radar’ until now.

Auditing Cloud Print also fills an important accounting need for educational organizations who have adopted Cloud Print widely. This will allow Admins to allocate costs appropriately.

Alarms

GAT+ has an alarms feature which assists Admins by detecting unusual behaviour on their Google Apps domain. The alarms report is run every time an Admin logs into GAT or when a scheduled job is run against the domain.

Because every domain has different ‘normal’ behaviour we allow Admins to set the variable thresholds on the alerts so that the these are configured to best suit the circumstances of each particular domain.

We also recognize that not every feature we alarm for is an alarm the Admin wants/needs to receive, which is why you can turn them off individually by toggling the ‘Enable alarms’.

We also recognize that not every feature we alarm for is an alarm the Admin wants/needs to receive, which is why you can turn them off individually by toggling the ‘Enable alarms’.

You can set up different alarms for each user OU you have.

You can set up different alarms for each user OU you have.

The alarms are self-explanatory, however, one worth drawing attention to is ‘alert on new IP address with negative logins’. This combines the information that it is the first time the domain has been accessed from this IP address, with the information that the login also failed.  The combination of these two details might indicate a high level of risk that this is the start of a break-in attempt.

Note: ‘Alert when account idle for a period greater than XX days is used again’ will also trigger when a previously un-accessed delegated account has been accessed by one of the delegates OR when an email is sent which includes that account as a ‘from’ address.

Internet Censorship in Schools: Block Bad Language

Amplified IT have produced a spreadsheet which is now widely used in many schools as the basis of their Reg. Ex. searches for bad or homophobic words.
We have slightly added to each of the four reg. ex. rules they published and made them available as templates for all our educational domains using GAT Shield.

Schools who use these can now apply them in Shield with just a click of a mouse. Our templates also contain many other useful examples that can be used and expanded upon by Admins.

We have slightly added to each of the four reg. ex. rules they published and made them available as templates for all our educational domains using GAT Shield.

Review the words covered by the different Amplified IT templates

GAT Shield - Amplified IT Rule Templates.

Google Calendar Audit

Calendar Discovery

GAT+ supports full domain wide automatic calendar discovery and exposure classification.

GAT discovers all calendars, even those imported automatically. It also classifies them by exposure type.

Here’s a short video tutorial about the Google Calendar Audit

 

GAT can reveal all google calendars in your domain

You can click on the Apply Custom filter button to search for a particular calendar.

Apply Custom filter button to search for a google calendar

There are a multitude of different search operators you can use and also combine together to find the right calendar.

 

User Audit, Calendar Tab

In addition GAT has extended the User audit to show the numbers of calendars per user and the number of events per user, both past and scheduled.

see google calendar's past and future events with GAT+

The values under Calendars, Past events, Future events and Total columns are all clickable. Clicking on any value will take you to the Calendar audit section so you can view those events in detail.

 

Event Discovery

In addition to the automatic calendar discovery, GAT can report on domain-wide automatic event discovery.

select 'calendar events'

With the addition of ‘events’ reporting, Admins can now examine the past and future appointment list of users on the domain. This can be particularly useful for departing employees who may have future appointments management need to be aware of.

select the dropdown arrow

Managing Past/Future events:

  • Ability to delete an instance of an event
  • Ability to delete all recurring events
  • Remove users from events and/or recurring events

 

Seeing Everyone’s Future – Getting Many Calendar Event Reports at Once

In addition to auditing the security and exposure of calendars, you can also audit calendar events, past, and future. As with all GAT audits, you can audit for user, group, OU or the entire domain.
This tech tip is a great way to see what everyone is planning going forward.


In the Calendars Audit, select the ‘Calendar Events’ tab.

  1. Set the period to ‘future’, this will show all forward events set for the next year.
  2. You can use “Created” after or equal to yesterday. To find one day only.
  3. Click ‘Search’, it does not matter if no events are returned, a search chip has been created.
  4. To have this run as a report, simply select “Scheduled” option.
  5. Then you can choose the “Occurrence”.
  6. Apply and Schedule and the report is set up.

In the filter itself you can select the options such as when the report to run weekly, monthly or custom.

In the example above we will create a report which runs every day  after midnight and will be for future calendars created. It will report only where there is something to report. This will give you a daily report, for all new future events created yesterday.
The report can be found in the Admin/Recipient Drive folder.

This will give you a daily report, for all new future events created yesterday.
And will be updated on daily bases, the created section will be automatically changed to the new day.

Delegated Audits – Notes to Delegated Audit Admins [Old UI]

If you have been nominated as a delegated auditor by the Domain Super Admin, you can now audit all the documents (and possibly emails) of the group over which you have been given audit authority.

To start an audit, select the ‘More’ menu you see at the top of your G Suite screen.

Select the 'More' menu

Select one or other of ‘General Audit Tool – Email Extension’ or ‘General Audit Tool for Google Apps’

This will now bring up an Audit screen. From here you can audit both your own environment and those of the other members of the group. You will see a screen similar to below.

This is a GAT audit screen

Depending on your environment ‘Emails’ may or may not be present.

This tool lets you see where all the documents of your group are being shared to or from. It also allows you to search through all the documents of the group for certain key-words. You can schedule reports to be alerted to certain events, such as documents being shared outside the domain. In fact what you can be alerted to is almost endless. 

If you are a line manager you may be interested in using the tool so see what your staff are doing in terms of productivity.

Start by selecting the ‘Docs Audit’, the result will cover all the members of your group.

How many documents are employees creating and sharing on a daily basis?

Then select the docs audit

Let’s start with ‘Documents Created’ and let’s look at the results for today (we can expand to weekly and monthly by moving the ‘From’ date further back).

In the Docs Audit tool, we pick documents created and enter today’s date.

This shows 18 new items in total, 2-word docs, 2 files uploaded, 5 folders, 7 spreadsheets, and one item thrown to trash. Of these, only one was an internal collaboration (in yellow). Clicking on any number shows you exactly those documents in full detail.

But that is not the whole story for the day’s work.

How many documents did the staff work on? For this, we select ‘Document’s Changed

select ‘Document’s Changed’

Here we see the number has grown bigger, for while the staff created 18 document’s today, they actually worked on 38.

Again the breakdown is as described above except now we know three of those documents were external and shared ‘In’, 1 was public, 1 was public with link, 1 was an external collaboration and 12 were internal collaborations.

But even this is not the whole story, how many documents did our staff actually look at today?

For the answer to this question we select ‘Document’s Viewed’.

Go to 'Between dates' and select 'Documents Viewed'

Here we see they viewed 48 documents. Of which 4 were shared in and 4 shared out. So that’s 8 separate items of external collaboration.

In the case of each search, the document listings are shown in some detail below.  However, you can also save the reports as a Google spreadsheet, or download as a spreadsheet to your PC (these report listings that have even more detail).

If your department or group has costs allocated against it for space usage, you are going to be interested in how much ‘space’ you are using.

Cost – To answer the cost question simply click on the icon showing the 2 ‘uploaded files’

click on the 2 ‘uploaded files’ icon

In this case, it shows one of those files was trashed (but it’s still taking up your ‘paid for’ space) and the size of the two files was just 6.3 kB.

To see the drive space used by each user simply click on ‘View all Users’ from any screen.

You can then sort up or down based on the column ‘Docs Quota’

See ‘Docs Quota’ column

Security – how do we address that?

We can see we have been addressing security at every stage of the process, identifying clearly files that are shared ‘In’ or ‘Out’, made ‘Public’ or even just shared ‘Internally’. Security is inherent to every part of our reporting process. You will see as you run the reports who owns the files, who they are shared with, who can edit them, who has updated them and who has visited them.

All of this detail is also reported in the spreadsheet that can be generated as part of a daily audit, a weekly audit or a monthly audit (in fact you can set the window to be any period you choose).

How do I get this type of information sent to me daily?

Two simple steps 1) Filter (as above) and 2) Schedule.

We show you how to set up a Policy or an Audit and have the right people notified in our post  Using GAT to detect a sharing policy violation

Footnote: On Engagement

Audit engagement in the General Audit Tool

G Suite Admin Guides Chrome Management

(See Granting GAT Additional Access rights and GAT Device Audits also)

Google Chrome Management

G Suite provides device management for Chrome OS devices and also lets you manage the Chrome browser (installing apps, managing security settings etc.) on PC and Mac.

Management is all done through the G Suite Admin Console

There is an additional licence required to manage Chrome OS devices, however, managing the Chrome Browser on PC and Mac is included as part of your G Suite for Business licence.

Note: When associating a name with a Chrome Device in the Admin panel, use the user email address from your domain. This will enable GAT to link the device with the user reports and allow cross reporting.

Managing the Chrome Browser

Note: If you wish to use Chrome Management on PC or Mac the Chrome Browser must be installed using the Chrome for Business MSI package which can be downloaded here

Chrome Management settings are accessed by logging into the G Suite Admin Console and going to Device Management > Chrome

access Chrome Management settings by logging into G Suite Admin Console (https://admin.google.com) and go to Device Management > Chrome

To manage the Chrome Browser settings click on “User Settings”. These settings apply both to the Chrome Browser on PC/Mac (installed using the .msi) and to the Chrome Browser on managed Chrome OS devices.

From here you have options to:

    • Allow or block particular types of Chrome apps and extensions
    • Pre-install Apps and Extensions
    • Choose which Apps and Extensions are Pinned to the Chrome Launcher
    • Manage the Chrome Web Store experience
    • Adjust Security Settings (like use of the password manager, incognito mode, browser history etc)
    • Set a proxy server
    • Set a Homepage and Pages to Load on Startup
  • Allow or Block certain types of content (such as cookies, JavaScript Plugins etc.

Managing Chrome OS devices

The other screens under “Chrome” are exclusively for Chrome OS devices and require a separate licence from Google.

With Chrome OS devices you have options to configure

    • Public Sessions – Configure settings for public session mode.
    • Device Settings – Enforcing device enrollment, enable or disable Guest Mode, restrict sign into a set list of users etc
    • Network Settings – Configure WiFi, Ethernet and VPN settings.
  • Devices – View and audit enrolled Chrome OS devices.

Enrolling Chrome devices that have already been used

You need to first enrol your Chrome devices to enforce policies on them set in your Admin console. Each device you enrol adheres to the Chrome settings you set in the Admin console until you wipe or recover the device. Note that if you “powerwash” the device, you will not be able to enrol it. If you need to reset the device, see Wipe device data.

New devices should always be manually enrolled. Devices that have been previously enrolled, deprovisioned, wiped and placed back into pending are eligible for automatic enrollment if the policy is enabled.

See this link below for more details.

Related Resources:

Filter Chrome users by latitude or longitude with GAT Shield