Groups Audit Explained

GAT supports a separate audit for Groups. The purpose of this audit is two-fold. It will report on the ownership, membership and access rights for each group, along with details like aliases, managers etc.  It can also be used to detect and report new or changed groups. These are important security features.

An admin can easily have an overview of all groups based on the members.


You can select on each individual field and it will be redirected to the tab where result was gathered from. You can search and filter by a range of criteria

You can manage the groups directly from within GAT+ just export, edit and import.

You can also see every detail regarding the group right away. Just select the ‘eye’ icon and it will display all the details. Group details, list of members and events related to the group.

An admin can also perform other actions on the group selected, like show members, copy or delete the group.

You can also view the group members and last event by member of the group.

Events tab will display actions occurred to a group like by which user to what group and the event happened.

Last Used will display last actions performed into a group, based on last used in File, Email and Calendar.

How to Save Your GAT Searches for Later Use

One of the nice things about the General Audit Tool is that you can build detailed and complex searches. These searches can then be saved for use as audits, policy checks, or simply to be used again to save time.

In the screenshots below, we will be building a search for all documents owned by members of the group ‘sales’, however, we want to exclude the member of the group called ‘Robert’.

To achieve this we can go to Drive audit, in the Files tab and just apply the custom filter.

We select the Type of the search to be for User / Group / OU Search, we select the name of the group and the files owned by them, then we exclude documents where the owner is ‘Robert’, then simply select ‘Apply & Save’.

This will save this search for future references and we can apply this search again and edit.
We can simply export the data into a spreadsheet.

We can also create and schedule a report that can be run on a weekly or daily basis.

Audit and Policy for Google Apps

With the GAT+  you can audit and set policies for additional apps running in your Google Apps environment. These third-party G Suite apps are given permission to access user data via API access which users enable once installing those apps.

GAT+ provides two different audit areas to analyze this information.

In User audit, Application Tab.

In the Side Menu of GAT+ select the ‘Users’ audit and then the Applications Tab

You can then search for any user, group or OU to focus on a subset of users. This will list by email and name showing the number of apps each user has granted API access to. You can click on the Apps column heading to sort by the number of apps installed for each user. Clicking on the number in this column takes you directly through to the Applications audit section to view further details.

For more of an in-depth look of 3rd party apps navigate to Applications audit section.

The Applications tab within the Application audit section will display the name of the apps installed, the scope they’ve been given, scope risk score(where we give a score based on the risk involved) required by the application.

Low –  Is where the applications require just the basic access, the medium is where more access is required.

High – Is where full access is required like access to drive content, email content, and directory contacts.


From this page, you can search for apps under a wide range of criteria. For any given app you can set a number of policy conditions, these are for both enforcement and classification.

Apps can be:

  • Banned
  • Trusted

You can Ban an application for individual users by entering their email addresses or you can use Google Groups or Organisation Units to cover multiple users at once. A Ban policy will prevent the cloud-based application from gaining access to the API permission it once had. GAT+ will block these privileges from being accessed.

Note: Users can manually enable these permissions again once the app is launched. GAT+ will detect this and disable those permissions once more.

A single app can be both partially banned and partially trusted.

All other apps remain unclassified.

To create a policy for an application, click on the ‘+’ button.

The default policy setting is ‘Ban’. Select which users will be covered by this policy. When the policy is ready click ‘Save’ to have it enforced.

To Remove a policy, click the ‘bin’ at the end of each individually named policy to remove that policy.

GAT Device Audits

Auditing of devices is broken into two areas

  1. ChromeOS Devices.
  2. Mobile Devices.


These two auditing areas provide a lot of control to super admins. Admins will have control over who can sync with G Suite cloud services via a mobile device. You can take actions such as blocking a certain mobile device if it’s not approved or verified. These actions can only be taken if Mobile Device Management has been enforced within your G Suite Admin Console.

Chrome OS Device Auditing

With ChromeOS Device auditing you can edit details of enrolled Chrome devices in bulk. You can locate and find a Chrome OS device very quickly and view its details like serial number and last user.

Chrome OS Device management (and hence auditing) requires an additional Chrome Management License from Google.

GAT also allows you to search Chrome OS device by both ‘ID’ and ‘Status’ as well as all the other common GAT search criteria.

One important point to note is that the user or the Admin sets the value for ‘User’ when setting up the Chrome OS device. We strongly recommend you set it to the User’s email address, that way we can link it to the other ‘User’ audits.

When the “eye” icon is selected it shows ChromeOS device details.
Two types of information are displayed

  • General
  • Hardware and OS

View the device details, including ‘MAC Address’.

Edit the device settings to the ‘User’ value to be the email address of a user on your domain, whom you want to be associated with that device.

All reports can be exported to a spreadsheet.

All reports can be scheduled to run at a set period.

Google Cloud Print Auditing

Using GAT+ it’s possible as an  Admin to audit your domain’s cloud print environment.

From the ‘Home Page’, selecting ‘Printers’ will take you to the printer queue audits.

From the ‘Home Page’, selecting ‘Printers’

Once  there you have the usual wide range of GAT search selection criteria

 search selection criteria.

GAT lets you search under a wide range of search options.

GAT lets you search under a wide range of search options.

You can see all “Printer jobs”

 

Enter the Printer jobs tab to see all queued and completed prints, here you can view details of the print. For each print job, you will see the email of the user who initiated the print, date of the print job and the title of the file.

There is an option to remove the print job if its still in the print queue.

select to remove print job

In User audit, Print tab you will see full details of the print jobs by your users summarized.

In User audit, Print tab you will see full details of the print jobs by your users summarised.

Here you can sort your users by details such as the number of jobs printed, printers they have access to, last time they printed, etc.

With GAT Google Cloud Print audit another important data leakage gap has been closed, information leaving the premises in hard copy. In-house printers are of course covered by local printer server management and audit software, but Cloud Print opened up a new avenue allowing direct printing to any chrome enabled PC with a printer. This printing was ‘off the radar’ until now.

Auditing Cloud Print also fills an important accounting need for educational organizations who have adopted Cloud Print widely. This will allow Admins to allocate costs appropriately.

Alarms

GAT+ has an alarms feature which assists Admins by detecting unusual behaviour on their Google Apps domain. The alarms report is run every time an Admin logs into GAT or when a scheduled job is run against the domain.

Because every domain has different ‘normal’ behaviour we allow Admins to set the variable thresholds on the alerts so that the these are configured to best suit the circumstances of each particular domain.

We also recognize that not every feature we alarm for is an alarm the Admin wants/needs to receive, which is why you can turn them off individually by toggling the ‘Enable alarms’.

You can set up different alarms for each user OU you have.

The alarms are self-explanatory, however, one worth drawing attention to is ‘alert on new IP address with negative logins’. This combines the information that it is the first time the domain has been accessed from this IP address, with the information that the login also failed.  The combination of these two details might indicate a high level of risk that this is the start of a break-in attempt.

Note: ‘Alert when account idle for a period greater than XX days is used again’ will also trigger when a previously un-accessed delegated account has been accessed by one of the delegates OR when an email is sent which includes that account as a ‘from’ address.

Internet Censorship in Schools: Block Bad Language

Amplified IT have produced a spreadsheet which is now widely used in many schools as the basis of their Reg. Ex. searches for bad or homophobic words.
We have slightly added to each of the four reg. ex. rules they published and made them available as templates for all our educational domains using GAT Shield.

Schools who use these can now apply them in Shield with just a click of a mouse. Our templates also contain many other useful examples that can be used and expanded upon by Admins.

reg ex searches

Review the words covered by the different Amplified IT templates

GAT Shield - Amplified IT Rule Templates.

Calendar Audit

Calendar Discovery

GAT+ supports full domain wide automatic calendar discovery and exposure classification.

GAT discovers all calendars, even those imported automatically. It also classifies them by exposure type.

Here’s a short video tutorial about the Google Calendar Audit

 

GAT can reveal all google calendars in your domain

You can click on the Apply Custom filter button to search for a particular calendar.

Apply Custom filter button to search for a google calendar

There are a multitude of different search operators you can use and also combine together to find the right calendar.

 

User Audit, Calendar Tab

In addition GAT has extended the User audit to show the numbers of calendars per user and the number of events per user, both past and scheduled.

see google calendar's past and future events with GAT+

The values under Calendars, Past events, Future events and Total columns are all clickable. Clicking on any value will take you to the Calendar audit section so you can view those events in detail.

 

Event Discovery

In addition to the automatic calendar discovery, GAT can report on domain-wide automatic event discovery.

select 'calendar events'

With the addition of ‘events’ reporting, Admins can now examine the past and future appointment list of users on the domain. This can be particularly useful for departing employees who may have future appointments management need to be aware of.

select the dropdown arrow

Managing Past/Future events:

  • Ability to delete an instance of an event
  • Ability to delete all recurring events
  • Remove users from events and/or recurring events

 

Seeing Everyone’s Future – Getting Many Calendar Event Reports at Once

In addition to auditing the security and exposure of calendars, you can also audit calendar events, past, and future. As with all GAT audits, you can audit for user, group, OU or the entire domain.
This tech tip is a great way to see what everyone is planning going forward.


In the Calendars Audit, select the ‘Calendar Events’ tab.

  1. Set the period to ‘future’, this will show all forward events set for the next year.
  2. You can use “Created” after or equal to yesterday. To find one day only.
  3. Click ‘Search’, it does not matter if no events are returned, a search chip has been created.
  4. To have this run as a report, simply select “Scheduled” option.
  5. Then you can choose the “Occurrence”.
  6. Apply and Schedule and the report is set up.

In the filter itself you can select the options such as when the report to run weekly, monthly or custom.

In the example above we will create a report which runs every day  after midnight and will be for future calendars created. It will report only where there is something to report. This will give you a daily report, for all new future events created yesterday.
The report can be found in the Admin/Recipient Drive folder.

This will give you a daily report, for all new future events created yesterday.
And will be updated on daily bases, the created section will be automatically changed to the new day.

Delegated Audits – Notes to Delegated Audit Admins

If you have been nominated as a delegated auditor by the Domain Super Admin, you can now audit all the documents (and possibly emails) of the group over which you have been given audit authority.

To start an audit, select the ‘More’ menu you see at the top of your G Suite screen.

Select the 'More' menu

 

Select one or other of ‘General Audit Tool – Email Extension’ or ‘General Audit Tool for Google Apps’

This will now bring up an Audit screen. From here you can audit both your own environment and those of the other members of the group. You will see a screen similar to below.

 

This is a GAT audit screen

 

Depending on your environment ‘Emails’ may or may not be present.

This tool lets you see where all the documents of your group are being shared to or from. It also allows you to search through all the documents of the group for certain key-words. You can schedule reports to be alerted to certain events, such as documents being shared outside the domain. In fact what you can be alerted to is almost endless. 

 

If you are a line manager you may be interested in using the tool so see what your staff are doing in terms of productivity.

Start by selecting the ‘Docs Audit’, the result will cover all the members of your group.

How many documents are employees creating and sharing on a daily basis?

 

Then select the docs audit

 

Let’s start with ‘Documents Created’ and let’s look at the results for today (we can expand to weekly and monthly by moving the ‘From’ date further back).

In the Docs Audit tool, we pick documents created and enter today’s date.

This shows 18 new items in total, 2-word docs, 2 files uploaded, 5 folders, 7 spreadsheets, and one item thrown to trash. Of these, only one was an internal collaboration (in yellow). Clicking on any number shows you exactly those documents in full detail.

 

But that is not the whole story for the day’s work.

How many documents did the staff work on? For this, we select ‘Document’s Changed

 

select ‘Document’s Changed’

 

Here we see the number has grown bigger, for while the staff created 18 document’s today, they actually worked on 38.

Again the breakdown is as described above except now we know three of those documents were external and shared ‘In’, 1 was public, 1 was public with link, 1 was an external collaboration and 12 were internal collaborations.

But even this is not the whole story, how many documents did our staff actually look at today?

For the answer to this question we select ‘Document’s Viewed’.

Go to 'Between dates' and select 'Documents Viewed'

 

Here we see they viewed 48 documents. Of which 4 were shared in and 4 shared out. So that’s 8 separate items of external collaboration.

In the case of each search, the document listings are shown in some detail below.  However, you can also save the reports as a Google spreadsheet, or download as a spreadsheet to your PC (these report listings that have even more detail).

 

If your department or group has costs allocated against it for space usage, you are going to be interested in how much ‘space’ you are using.

Cost – To answer the cost question simply click on the icon showing the 2 ‘uploaded files’

 

click on the 2 ‘uploaded files’ icon

 

In this case, it shows one of those files was trashed (but it’s still taking up your ‘paid for’ space) and the size of the two files was just 6.3 kB.

To see the drive space used by each user simply click on ‘View all Users’ from any screen.

You can then sort up or down based on the column ‘Docs Quota’

 

See ‘Docs Quota’ column

 

Security – how do we address that?

We can see we have been addressing security at every stage of the process, identifying clearly files that are shared ‘In’ or ‘Out’, made ‘Public’ or even just shared ‘Internally’. Security is inherent to every part of our reporting process. You will see as you run the reports who owns the files, who they are shared with, who can edit them, who has updated them and who has visited them.

All of this detail is also reported in the spreadsheet that can be generated as part of a daily audit, a weekly audit or a monthly audit (in fact you can set the window to be any period you choose).

 

How do I get this type of information sent to me daily?

Two simple steps 1) Filter (as above) and 2) Schedule.

We show you how to set up a Policy or an Audit and have the right people notified in our post  Using GAT to detect a sharing policy violation

Footnote: On Engagement

Audit engagement in the General Audit Tool