Posts

GAT+ Gmail Audit Tables Explained

This post will explain the meaning of title headings and details within the tables in different areas of Email audit.

When you enter the Email auditing area of GAT+, on the Emails tab you will notice a summary table at the top of the page. The table will summaries the total number of emails sent out or sent into your domain with files attached or with no files attached. Clicking on any one of these categories in the table will apply a filter focusing only on those emails.

Clicking on any one of these categories in the table will apply a filter focusing only on those emails.

The date range (Emails from) at the top of the table indicates the period under audit.

The Last Scan Date informs you when an email scan last ran to update the metadata you are viewing.

Some notable categories:

Emails sent in – Emails were the sender is an external user

Emails sent out – Emails to external domains where the sender is from your own domain.

Emails sent internal – Emails sent only to users within your own domain. The email thread may include users who are external.

Bounced – When an email message cannot be delivered to an email address.

Files sent in – Emails sent into your domain from an external user which contained a file attachment.

Files sent out – Emails sent to external domains with a file attachment.

User Statistics Table

If you wish to get a better understanding of email activity for each user on your domain and the alias they may use click on User Statistics.

If you wish to get a better understanding of email activity for each user on your domain and the alias they may use click on User Statistics.

Heading of the Table

Date From and Date To – These fields over a date range. If you clicked on the Daily Statistics button this will show you email data of each previous day. If you can Summary Statistics button then you can see several months back for each user.  

Date From and Date To - These fields over a date range. If you clicked on the Daily Statistics button this will show you email data of each previous day. If you can Summary Statistics button then you can see several months back for each user.

User – The user who sent/received the email.

Email – This is the email address a user used to send or receive the emails. This is usually an alias or an account they’ve been delegated access to or their own email address. In the screenshot below in the green box, it shows that User:ferdows@generalaudittool.com sent/received emails from Email:ferdows@generalaudittool.com which is his own account.

Email - This is the email address a user used to send or receive the emails. This is usually an alias or an account they’ve been delegated access to or their own email address. In the screenshot below in the green box, it shows that User:ferdows@generalaudittool.com sent/received emails from Email:ferdows@generalaudittool.com which is his own account.

Emails recv. (ext) – Emails received where the sender is an external email address.

Emails recv. (int) – Emails received where the sender is from your own domain.

Emails sent (ext) – Emails sent outside of your own domain to other domains.

Emails sent (int) – Emails sent internally to users on your own domain.

Files recv. (ext) – Emails received from external users which contains a file attachment.

Files recv. (int) – Emails received by internal users from your own domain which contained a file attachment.

Files sent (ext) – Emails sent outside of your own domain to other domains which contained a file attachment.

Files sent (int) – Emails sent internally to users on your own domain which contained a file attachment.

Email columns

GAT Removes Your Pain Points

Google Drive

1) “What files on my google domain can everyone on the internet find or see?”

In the GAT+ Drive Audit one click on the number ‘Open to full public’ shows you all the public files on your domain’s Google Drive. You can see those that are available to all with the link or ‘Open to public with link’ both reports just a click away).

2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Google Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.

Domain connection graph

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

Gmail

4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Once you find the emails you need (using Unlock) you can view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the “User audit” select the “Email info” button and select the account you want to add delegated auditor to and add. After its approved by security officer, the user will have delegated access the person’s email.

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ Email audit select “User Statistics” presenting different options  “Daily Statistics” and “Summary statistics”

Once you select the Daily Statistics, you can just apply filter to schedule daily reports for all emails coming and going out from all your user accounts you can also select to cover user/group/OU.

G Suite Users

8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ select ‘Users Audit’ and select ‘Last Login’ and it will be filtered based on Last login.

You can apply filter to search by ‘Last login’ or ‘Last negative login’ searching for users whose last login to your G Suite domain was 6 months ago.



9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Under Configurations section in GAT+ select ‘Alarms’ and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.

Find All Participants Who Communicated to an Email Address

Finding the top senders of email to a particular mail address you are auditing can be tricky when conducting an email audit.

One example might be to find all participants involved in sending or receiving emails coming from our support team so we will use support@generalaudittool.com as our focus.

We start by going to the email audit on GAT+.

We start by going to the email audit on GAT+.

We apply custom filter and select the ‘To’ search parameter, enter the address we are interested in and hit ‘Apply’.  This will return a list of all the emails sent to that address, internal and external, with and without attachments.

Once the results are displayed we can see all emails sent to support group.

Once the results are displayed we can see all emails sent to support group.

From the Emails tab we will now click on the External From/To tab. The search criteria you have already applied will be carried over to the External From/To tab.

Note: Whenever you apply custom filter within the Emails tab you can carry over this filter criteria to Sender/Receiver tab or External From/To.
External From/To – will show the emails sent from external users to the support email.

External From/To - will show the emails sent from external users to the support email.

Sender/Receiver – will show all emails divided by internal and external stats.

Sender/Receiver - will show all emails divided by internal and external stats.

This makes the complex analyses of figuring out who is generating workload for your support team in this example.

In the Emails tab we could have refined the search to find emails sent to support group in a given time frame with file attachments then click on Sender/Receiver tab.

How to Find the Number of Emails Each User Sent and Received in a 24 Hour Period

Using the G Suite Admin Console or Google Vault it’s a difficult task for a super admin to find all of the emails sent or received by the entire organization or sub-group of users in a clear and readable way. That’s why the Email auditing in GAT+ is so important. For any filter you create, you can see who was involved with sending or receiving of those emails.

From the GAT+ side-menu go to the email audit section.

From the GAT+ side-menu go to the email audit section.

While in the first tab.

GAT's "email" tab

Click on the ‘Apply custom filters’ button.

Click on the ‘Apply custom filters’ button.

Add the dates to capture the previous 24 hour period.

Add the dates to capture the previous 24 hour period.

In the search definition area, the following search parameters were applied.

Sent date after or equal MM/DD/YYYY HH:MM

AND

Received date before or equal MM/DD/YYYY HH:MM

Once you have selected the look-back period, apply the filter. In the above example, we looked back one day, you can have your custom look back cover a date range you need to audit.

Now when the filter is applied, click on the ‘Sender/Receiver’ tab, the filter will be carried over to this area!

Now when the filter is applied, click on the ‘Sender/Receiver’ tab, the filter will be carried over to this area!

The first table will show you the number of emails sent from your domain’s users.

The first table will show you the number of emails sent from your domain's users.

The second table shows the number of emails each local user received (including, cc’s and bcc’s).

The second table shows the number of emails each local user received (including, cc’s and bcc’s).

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

The fourth and last table will show you the external receivers and how many emails they received in the last 24 hours.

The third table shows you all of the external senders and the number of emails they sent in the last 24 hours.

You can export each table to see further details.

You can export each table to see further details.

How to Find All Emails for a Gmail User

When GAT+ is installed, our system begins to index all of the emails in every account covering a period of 28 days (4 weeks) prior to the install date. This helps us build up some statistics so you can view recent trends. We then index every email going forward indefinitely.

In cases where you need to search for emails older than 28 days from the date of GAT+ install you can use the real-time search called Gmail Search in GAT+.

Search the entirety of any users mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).

Search the entirety of any users mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).
slect "new" in the gmail searches tab

You can exclude “chats” if you use “in:anywhere -in:chats” if you wish to narrow down the search to a specific period use the following search operators after:YYYY/MM/DD and/or before:YYYY/MM/DD. Alternatively, you can use older_than:5d or newer_than:30d.

So the full search term might look like this “in:anywhere -in:chats after:2019/03/01 before:2019/03/31 is:read”. View the full list of search operators available.


The search may take quite some time especially if you’re dealing with thousands of emails.

When the Start Search button is pressed, this will redirect you to the Recent tab. In this tab, you will see the status of all your email searches.

When the Start Search button is pressed, this will redirect you to the Recent tab. In this tab, you will see the status of all your email searches.

After the search completes, you can select the green check mark and all emails for this user will be displayed.

After the search completes, you can select the green check mark and all emails for this user will be displayed.

Once the results are shown, you can add and build new filters on the top of the current search. To find specific emails or examine the totality of that user’s activity.

Once the results are shown, you can add and build new filters on the top of the current search. To find specific emails or examine the totality of that user’s activity.

To add additional filters on top of this real-time search, click on the Apply custom filter button.

To add additional filters on top of this real-time search, click on the Apply custom filter button.

One example of using the Apply custom filters in Gmail Search is to narrow down the above search to find only emails with more than 2 email attachments.

One example of using the Apply custom filters in Gmail Search is to narrow down the above search to find only emails with more than 2 email attachments.

You can always return to Gmail Searches you had previously done and remove them from the listing.

You can always return to Gmail Searches you had previously done and remove them from the listing.

In conclusion, Gmail Search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed. If your email audit does not require up to the minute information I would recommend sticking with scan based searches within the Emails tab.

In conclusion, Gmail Search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed. If your email audit does not require up to the minute information I would recommend sticking with scan based searches within the Emails tab.

Google Drive: Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to GAT’s Google Drive audit. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

However, we can refine our Google Drive searches even further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

Out of Hours Email Activity Reporting

In France, the legal length of the working week is 35 hours in all types of companies with more than 50 employees. The working day may not exceed 10 hours. Furthermore, employees may not work for more than 4.5 hours without a break. The maximum working day may be extended to 12 hours under a collective agreement.

If you wish to enforce this policy throughout your organization you can utilize GAT Shield. Let’s presume you already know about Shield and utilize it within your organization.

You have the ability as a super admin to enforce the French working hours after getting proper approval from your management team.

Navigate to the Configuration area of GAT Shield. In the Login Control section.

Now, I will create a time frame window outside of this time frame users on my domain won’t be allowed to log into their G Suite account to check emails or other cloud services.

The below example covers 9AM to 7PM.

Login time window (from): 0 0 9 1/1 * ? *

Login time window (to): 0 0 19 1/1 * ? *

This means my employees can log in and do their work from 9AM to 7PM after which they will be blocked.

If you don’t wish to block entry into the account when users are out of hour you can report on your employee’s activities using GAT Shield User Activity section. This will show you when a user was active and what sites they went to throughout a given day.

Less is More: Email Audit

How to see the tree from the woods.

Sometimes we can be overwhelmed with search results and where we have a lot of information coming at us we sometimes want to turn down the noise a little.

In our domain, we get a lot of email from one particular source. We have a domain called go-oodles.com that we use to relay certain events.  For example, we have a series of internal cameras at sensitive doors in the building. These record to a NAS system, but to be sure we also turn some of the images into email and email them to a google account. These all come from the account camX@alerts.go-oodles.com.  As you can imagine this generates quite a bit of noise. When we’re auditing email we like to eliminate this noise.

First, we search for email from ‘alerts.go-oodles.com’

GAT 'negate filter' button

Then we hit ‘Negate Filter’ to remove these 15,000+ emails from the results.

 

This really starts to become useful when combined with another filter.

For example, if we want to see all the email with attachments, we ‘clear filter’, select the attachments box and hit ‘Search Emails’

Unfortunately, this returns all emails with attachments, including the thousands of alerts from go-oodles.com.

What we can do is go to the tab ‘Recent Filters’ and combine searches, all email ‘With Attachments’ and all email ‘not from[alerts.go-oodles.com]’

You can see we select the two filters we want, join them with ‘AND’ and hit ‘Show’.

This returns a much smaller subset of all emails with attachments, except those from ‘alerts’.

If we add dates to this search, we get an example like in line 1. (picture at top of page), which is getting all the email we want from the 30th of Jan, 2013.

We can then schedule this for 5 past midnight on the 31st of Jan.

Assuming we are on the 30th of January, this will generate a report that will run everyday showing us all the email that comes or goes the day before, with files attached, excluding all those thousands of emails from the alerting system.

How to Debug Email Routing Problems

GAT+ Lets Admins see the filters Users have in place. Useful for debugging email routing problems. Users audit, Emails, click on the filters count for the User of interest to see what the underlying filters are.

GAT Gmail filter

 

Understanding Group Activity email and file sharing

Some recent questions raise the interesting problem of how do we measure email activity at group level (and group activity in general).

Groups inside Google are phenomenally interesting and at GAT we spend quite a bit of time thinking about them. At a simple level, a group can act as an email alias for a function, ‘sales@generalaudittool.com’.  A group can also form a platform for email collaboration, ‘new-ideas@generalaudittool.com’. It can also form the basis of a mini-community, ‘development@generalaudittool.com’, where the group name can be used as the basis for sharing documents, emails, access rights, etc.

In reality, any group once established, tends to function to varying degrees in all three roles inside the organization. In addition, you have the situation that members of one group are often members of other groups. Looking at the output of the members, you can never tell if the mail is group related.

However, with GAT+Email you can see some important details

1) How busy, in general, members of that group have been.

Under the ‘Users’ audit, select the email tab, the search for the group you are interested in, then, clicking on ‘show graph’ you can see the detailed internal and external email loads for members of that group.

Understanding Group Activity email and file sharing

 

2) The amount of email sent specifically to any Group (where the group is viewed as a collection of members), which domain and which user it came from (internal or external).

Here we use GAT+Email and select the email audit. Once in the email audit we search for the group we are interested in. This can be done two ways, firstly we can just reference the Group and this will return all emails for which members of the group were involved

Or we can make the group address the subject of a specific search, (the results show only the email sent specifically to the group address).

Here we can see in the table everyone inside and outside the organization involved in sending email to that group address and the volume of email involved. Domain or individual can be turned on or off to see the values for each category more clearly.

In addition, you can search for all the emails sent ‘from’ a particular group address and then using the ‘Recent Filters’ tab combine the two searches to produce a combined set of results. Again these can be examined in the Sender/Receiver table.

A really powerful exercise is to limit the searches to a date range, then look at the ‘Domain Connections’ table for the results. At the top of the table select ‘Show communication graph’.

See this post. The graph shows newest relationships on the right, oldest on the left. Domains sending to us on the top, domains we send to on the bottom. In between have emails in both directions, depending on the balance.

3) To what degree that group is directly involved in document sharing and collaboration

In this case, we go to the ‘Group’ audit on the homepage.

In this audit we can search for a group of interest and from there we can see details like the total of the overall percentage of docs created by members of this group, the percentage of shared in documents shared to its members and the percentage of shared out docs, shared out by its members.

In addition, you can see details like the number of group documents (those shared), the number shared explicitly to the group address and the numbers shared by members of the group to one another. This helps you understand if the Group is being used for Collaboration.