Posts

Google Drive: Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

 

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to GAT’s Google Drive audit. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

 

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

However, we can refine our Google Drive searches even further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

Detailed Audit of External Shares

In this post, we will discuss how you can handle and audit external files shared into your domain. You will quickly be able to analysis which external users are sharing in the most number of files.

select 'drive'

On the GAT+ homepage, click on Drive, then select External Users tab. This will provide a list of all external users.

'external users'

To identify the files shared in by these external users, review the column Owns (not ours).

To identify the files shared in by these external users, review the column Owns (not ours).

The External Users auditing section shows in detail all the external users that have access to documents on your domain as well, some of these docs may be owned by your domain, some not, but they are all opened by or shared explicitly to your users.

The report produces 6 columns, all sortable. The external view lists all the external users and is sorted by the number of documents you have in common but may be sorted by any other column also.  

  • In particular, Can edit (our docs only) is an important sort, to see who the big external collaborators are for documents owned by local users on your domain.
  • Can view (our docs only) indicates files external users can view which are owned by your local users on your domain.
  • Can Edit (any doc) and Can view (any doc) these values may contain files which are not owned solely by your domain, they may be owned by other external domains.

Clicking on any blue number links to the files reflected in that category. This allows the admin to export the detailed metadata about these files.

 

Remove External Users as Editors or Readers

In External Users Tab sort, the column Can Edit (any doc) and Can view (any doc) can be used quickly to remove a particular external share. Click on the values, this will take you to those files.

Next to the email address of the external user will be a drop-down menu. Click on it, and select either remove the external user as an Editor or Reader.

  • Remove this permission, will remove the external user from just that document.
  • Remove userX@externaldomain.com as Reader/Editor from files in the current filter, will remove the external user from all files within the current filter.

Audit Google Team Drives Users and Activity with GAT+

Applying a search for Team Drive files

 

Use the exposure summary table in Drive Audit to quickly display all of the files within your Team Drive for all of your domain users.

Use the exposure summary table in Drive Audit

In the above example, our domain has a total of 1778 Team Drive files. Once you click on exposure summary table for Team Drive files a filter will be automatically applied with the following search parameter selected.

Drive files filter option

Don’t hesitate to build on top of this filter search. Let’s search for Team Drive files which have been updated in the past few months and which are images and docs only. Follow the steps below to achieve the same search:

  1. Clicked on the ‘Add rule’ button.
  2. Select the Updated search parameter and then select ‘after or equal’ and then enter the months of interest.
  3. After clicking on the ‘Add group’ button.
  4. Select the OR operator so the search parameters in this group will be OR’d together.
  5. The first search parameter was Type is equal to ‘Image’.
  6. Click on ‘Add rule’ button to create the second search parameter.
  7. The second search parameter was Type is equal to ‘Doc’.
  8. Apply the filter.

Click on the button ‘Show stats for the current filter’,

To know the exact number of Team Drive files which have been updated in the past few months and are images or docs. Click on the button ‘Show stats for the current filter’, this will run a search and calculate what file types are appearing for this current filter.

‘Stats for the current filter’ will take some time to generate the results.

The ‘Stats for the current filter’ will take some time to generate the results.

A look at what the "stats of the current filter" feature shows

View Events History for Team Drives

 

In the Files Tab of Drive audit, apply a search filter for Team Drive files, once the filter is applied click on the Events Tab. This will show you all of the events carried out on those files.

Click on the 'events' tab

expanded info in the feature

Third Party Apps – Audit Ban Allow

In GAT, under the ‘Alarms’ configuration, we have a default setting to warn Admins when new.

third party apps are installed.

These alarms can be sent to a list of Admins or security officers. Some of these apps request extraordinary levels of access and should be investigated. You can examine the  Apps installed on your domain by selecting ‘Apps’ from the audit section of GAT.

When in the Apps audit you can filter by user, group or OU. You can also search by App name or URL. These apps can then be allowed or banned on an individual, group or OU basis. See how here. Banned apps will have the ban enforced automatically by GAT.

Sometimes you might prefer if the user made his or her own informed decision about removing apps s/he has granted access to. The problem is Google does not make it particularly easy for users to find this information. The following is a ‘tear away’ that you can cut and paste to send to your own end users if you are concerned about the apps they have installed over time. (This paper was inspired by the end user receiving an image as an email attachment and on clicking to open. Google offered them a whole list of third-party apps that all required full drive access and no Admin approval process.)

End Users – Do you know what third parties can access your Google Drive?

If you installed third-party apps and forgot or were unable to remove them, then the following steps will show you how to review and remove these apps. By removing their access it just means they will have to request access again the next time you use them. In the meantime, if you revoke access, the apps will not have access to your data.

On the top right of your email page click on your image or avatar.

From the pop-up window select ‘Account’. When a new tab opens scroll down to ‘Account Tools’.

Look for and select the line ‘Google Dashboard’ (See image on next page).

Clicking on ‘View account data’ will cause a new tab to open and you may be requested to enter your password again.

 

Once the new tab opens, select the link to ‘Connected applications and sites’ (see below).

A list will appear of all the third-party apps and tools you have granted access rights to.

Some of these will be important and used every day.

Some will be tools you granted access to for a ‘one off’ task like editing a photo and are no longer required. Scroll down the list and for those tools, you are sure you no longer need, select the line they are listed on and then select ‘Revoke access’.

In general, all tools produced by Google are going to be just fine to leave installed, even if you don’t know for sure what they are doing.

Who is collaborating? G Suite connections and more…

Who is collaborating?

GAT has been building sophisticated audits for the Google environment for some time. One feature we are particularly interested in is collaboration. We distinguish between connections and collaboration. If I share a document with 5 people, I’ve connected to 5 people, but if only 2 people read or edit that document, then only 3 people have been involved in the collaboration.

Likewise for email, if I email you and cc 10 others, I am not collaborating with 11 people. However, if 3 people respond to my email with suggestions of their own, then it is fair to say there are now 4 people involved in this collaborative event. Communication can be ‘one-way’ but Collaboration must be ‘bi-directional’.

We decided that a good way to understand collaboration domain wide would be to graph it and that is what we do in Collaboration Graphs in the Business Intelligence module.

In GAT select Business Intelligence, then Internal/External Collaboration. From here you can view the collaboration for everyone on your domain or you can select a group to focus on. By default and if GAT has been running for at least that period you can look at the last 6 weeks of collaboration but you can shorten or extend this period (if you have the data) if you want. Once the graph is drawn you can change the view in many ways. How to do that is what we will cover in this post. We are going to look at the buttons on the top bar and show you what they can do.

 

Spread/Cluster

When we draw the graph first we lay the nodes down as we find them. This is fine if you have a small number of nodes, but if you have a large number the whole diagram can look very entangled. To sort out the ‘balls of twine’, we let you ‘cluster’ the nodes around their main connections, do this until you see very strong clusters form, then select ‘Stop Layout’, select ‘Spread’ and wait until there is an even and reasonable stable spread of nodes. Select ‘Stop Layout’ again and you should see all the main groupings of collaboration sorted out.

 

Start/Stop Layout

This button controls whether the nodes are moving into new positions. 30 seconds sorts most things out, but only you can judge.

 

Rescale

Sometimes you zoom in to see the detail and find it hard to get your bearings, rescale just brings you back to the starting point before zoom or pan.

 

Colour by Intensity/Colour by Filters

The Collaboration Graph measures the intensity of collaboration by size and colour. Users are represented by the nodes and their collaboration is represented by edges (lines between the users). Some nodes are bigger than others, this represents the volume of collaboration that this user participates in, the wider edges represent more collaboration between two specific users.

Colour is also used. Some people are poorly connected (poor at collaborating with many people – low degree) and represented in blue. Others are well connected, collaborating with many people at once, we say these people have a high degree and are represented by more red. This type of colouring is called ‘Colour by Intensity’. Look for large red or yellow/orange circle – these are the key collaborators in every way.

In many cases though, where we are looking at an individual or a group, we say we are ‘filtering’ that user or group into focus, so we then want to ‘Colour by Filters’ to make these nodes stand out and be easily spotted. The default ‘filter’ is internal vs. external, so when you turn on ‘Colour by Filters’ for the main domain, blue NOW represents the internal users and red NOW represents the external users. Picking a single user or group will highlight them in green.

 

Pointer

This controls the names that ‘pop up’ when you point at a node. There are four values

Pointer means just the name at the tip of the pointer appears

Neighbours is the same as pointer but it also shows the names of all the nodes connected to the one you are pointing at

Domain puts labels on all the nodes in your domain that are in the present graph

All shows all the labels for all nodes, useful if the graph is sparse.

 

Combined

We currently track collaboration across three areas, email, document sharing and calendar appointments. The default view for the graph is to show the combined collaboration from all three areas, however, the auditor can select to look at the collaboration in any one category by selecting the appropriate filter choice from this drop-down menu.

 

Print Graph

Does pretty much what it says. When you have a graph of interest we will turn it into a PDF for you to add to a report.

At the graph level, you have a choice of Graph or Pairs

 

Pairs

The graph is made up of many different pairs and combinations of relationships, sometimes you just need to see that on a numerical table. Pairs gives you that view and lets you filter and save as a spreadsheet.

 

Collaboration Graphing has many more features, these are covered by other posts in this site.

Notifying Local Owners If Their Doc Was Matched in an Audit

In this Tech Tip, we have two examples of how to frame a search for an ongoing Audit or Policy.

In the first example, we look for all documents shared to or from Users in the ‘gmail.com’ domain

We are going to run a daily scan to alert local owners that their documents may breach company policy by being shared to or from the gmail.com domain.

In the Drive Audit, select ‘Users’, select from a date, pick today’s date for daily audits, pick a week back for weekly audits, etc.

Next, select ‘Documents Changed’ and then click ‘Search Documents’, this will build your search ‘chip’ and see if you have any documents that match the criteria, for the time period chosen. Remember you may have no hits, but the search rule is still valid and will catch future hits.

Finally, schedule that chip to run every night (See the next page).

In the second example, we look for all documents shared outside the domain.

We are going to run a daily scan to alert local owners that their documents may breach company policy by being shared out of the domain.

In the date range pick today’s date for daily audits, pick a week back for weekly audits, etc.

Next, select ‘Documents Changed’ and then click ‘Search Documents’, this will build your initial search ‘chip’. You further refine your search by selecting documents shared ‘Out’. Remember you may have no hits, but the search rule is still valid and will catch future hits.

Finally, schedule the full chip to run every night.

When you click Schedule/Save you will be taken to the scheduler, here you can select how you wish to see the report, as a CSV or a PDF, whether you want it to run as a policy or an audit (as an audit you get notified every time it runs, even if nothing is found, as a policy, you only get a message if a matching file is found) and the period over which it should run.  If you selected a week’s worth of data, run the report weekly, if it was a day’s worth, run the report daily.

Finally, you will see a checkbox, ‘Notify Local Users’, if you check this, local owners of the file will be warned that their files were found by the search, that they may be in breach of company policy and they will be given a list of the files.

Email Groups in GAT

A group in Google email can either be an address or a collection of people (all the members of example@generalaudittool.com). 

This is an important distinction for auditing purposes. Sometimes you want to audit for the group address, sometimes you want to audit for the collection of people.

GAT email auditing now supports both views.

To audit for email sent specifically from the address ‘sales@generalaudittool.com’ search for the address in the general search field

Gmail audit

To audit for all the email sent by members of the group, use the Local User/Group search field

GAT email filter

You can select the direction with the ‘Sent/Received’ filter.

It also works for Organization Units (and sub-OU’s if you include them in the tree).

An example use case might be to look at all emails ‘sent’ from ‘sales’ and create a second filter for emails ‘received’ by ‘support’, then go to the tab ‘Recent Filters’ and combine the two searches to see all the emails sent from members of sales to members of support.

While this feature is available in the Business Intelligence beta analyses, it is typical that large domains have too large data sets for local browsers to handle the BI processing. This filter set in the email auditing module allows the larger domains to get the spreadsheets they require for all group email activity.

 

How to Reduce Noise with Email Charts

This post shows you how to reduce unnecessary noise using email charts.

In the ‘User’s’ Audit area

GAT email chart

Select the ‘Emails’ tab and one of the useful features is that you can chart the daily email loads, internal and external for each user.

GAT Email tab

Sometimes a user sends or receives a lot of emails (log recipients for example), and you need to dampen this out to see the general trend for the other email parameters.

GAT now lets you selectively turn on or off each line on the graph by simply clicking on the index key for that metric. A simple change to help produce more meaningful charts.

v.2918 and up.

You might also find these posts relevant:

Gmail Audit Tables

Daily Usage Stats

Detailed Login Auditing (Location, Time, Attempts)

From the GAT Audit home page

GAT Dashboard

Under our detailed ‘Users’ audit, GAT has been reporting detailed login information for each user under the ‘Security’ tab. We have now been able to greatly improve the accuracy of the last login time.

see last login with GAT

Clicking through of the last Login time, shows the full login history, with IP address and geo-location mapping if required.

Clicking through on the last negative event shows the history of failed and suspicious logins for that account, with IP address and maps. This column is sortable domain wide so you can quickly identify accounts under potential repeated attack.

We have now greatly expanded the reporting for this data.

General Audit Tool (GAT) - One click reports

Under ‘One Click Reports’, the fast access path to some important detailed reports, we have added  ‘User Log-in Reports’ as a new option

General Audit Tool (GAT) user login report

When you click on the link above you are taken to the ‘View by Events’ log-in report.

Once here, you can sort by User, Date and Time, IP address and Event (ok or negative).

At the top, there is also the ‘One Click’ summaries for different event types and a standard GAT format extensive search box.

General Audit Tool (GAT) view by event login report

A second report option ‘View by IP’ is also available. Click on this to see the history of events by IP address. This is very useful for attack analyses.

GAT reports

Each of the columns is sortable and each row has a click through the report for the detail behind the number.

Many domains have a series of address networks which they know are ‘OK’

These can all be searched for by abbreviated address format.

GAT - negate filter

When found the Admin can click on ‘Negate Filter’ to find all the login’s not from these addresses. These would be ‘untrusted’ nets.

A nightly report of these untrusted network logins can then be scheduled, saving the data as a spreadsheet and reporting to the Admin.

In all report cases login addresses can be mapped with Google Maps.

Because security is so important to the Google community we are making all of the above free even after your GAT trial ends. So even if you are one of the few who does not want good auditing ;-), you can still enjoy the benefits of some GAT security after your domain’s general trial ends.

 

Auditing for all Org Units and Restricting access to GAT

Auditing for all Org Units and Restricting access to GAT

 

Applications in sub OU’s only have authority for some audit features and only over the users in that sub-OU. This is impacting GAT’s ability to report domain wide. GAT is often placed in an OU to restrict which users can run GAT.

To solve this problem we recommend you set the following.

On the GAT homepage select ‘Configure GAT’

 

Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.

GAT will now only be available to Super Admins and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.

This will enable auditing of all users on the domain for details like Google+ usage, etc.

See here to learn about Delegated Audits to auditors who are not Admin staff.