Posts

GAT+ Gmail Audit Tables Explained

This post will explain the meaning of title headings and details within the tables in different areas of Email audit.

When you enter the Email auditing area of GAT+, on the Emails tab you will notice a summary table at the top of the page. The table will summaries the total number of emails sent out or sent into your domain with files attached or with no files attached. Clicking on any one of these categories in the table will apply a filter focusing only on those emails.

Clicking on any one of these categories in the table will apply a filter focusing only on those emails.

The date range (Emails from) at the top of the table indicates the period under audit.

The Last Scan Date informs you when an email scan last ran to update the metadata you are viewing.

Some notable categories:

Emails sent in – Emails were the sender is an external user

Emails sent out – Emails to external domains where the sender is from your own domain.

Emails sent internal – Emails sent only to users within your own domain. The email thread may include users who are external.

Bounced – When an email message cannot be delivered to an email address.

Files sent in – Emails sent into your domain from an external user which contained a file attachment.

Files sent out – Emails sent to external domains with a file attachment.

User Statistics Table

If you wish to get a better understanding of email activity for each user on your domain and the alias they may use click on User Statistics.

If you wish to get a better understanding of email activity for each user on your domain and the alias they may use click on User Statistics.

Heading of the Table

Date From and Date To – These fields over a date range. If you clicked on the Daily Statistics button this will show you email data of each previous day. If you can Summary Statistics button then you can see several months back for each user.  

Date From and Date To - These fields over a date range. If you clicked on the Daily Statistics button this will show you email data of each previous day. If you can Summary Statistics button then you can see several months back for each user.

User – The user who sent/received the email.

Email – This is the email address a user used to send or receive the emails. This is usually an alias or an account they’ve been delegated access to or their own email address. In the screenshot below in the green box, it shows that User:ferdows@generalaudittool.com sent/received emails from Email:ferdows@generalaudittool.com which is his own account.

Email - This is the email address a user used to send or receive the emails. This is usually an alias or an account they’ve been delegated access to or their own email address. In the screenshot below in the green box, it shows that User:ferdows@generalaudittool.com sent/received emails from Email:ferdows@generalaudittool.com which is his own account.

Emails recv. (ext) – Emails received where the sender is an external email address.

Emails recv. (int) – Emails received where the sender is from your own domain.

Emails sent (ext) – Emails sent outside of your own domain to other domains.

Emails sent (int) – Emails sent internally to users on your own domain.

Files recv. (ext) – Emails received from external users which contains a file attachment.

Files recv. (int) – Emails received by internal users from your own domain which contained a file attachment.

Files sent (ext) – Emails sent outside of your own domain to other domains which contained a file attachment.

Files sent (int) – Emails sent internally to users on your own domain which contained a file attachment.

Email columns

GAT Removes Your Pain Points

Google Drive

1) “What files on my google domain can everyone on the internet find or see?”

In the GAT+ Drive Audit one click on the number ‘Open to full public’ shows you all the public files on your domain’s Google Drive. You can see those that are available to all with the link or ‘Open to public with link’ both reports just a click away).

2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Google Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.

Domain connection graph

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

Gmail

4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Once you find the emails you need (using Unlock) you can view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the “User audit” select the “Email info” button and select the account you want to add delegated auditor to and add. After its approved by security officer, the user will have delegated access the person’s email.

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ Email audit select “User Statistics” presenting different options  “Daily Statistics” and “Summary statistics”

Once you select the Daily Statistics, you can just apply filter to schedule daily reports for all emails coming and going out from all your user accounts you can also select to cover user/group/OU.

G Suite Users

8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ select ‘Users Audit’ and select ‘Last Login’ and it will be filtered based on Last login.

You can apply filter to search by ‘Last login’ or ‘Last negative login’ searching for users whose last login to your G Suite domain was 6 months ago.



9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Under Configurations section in GAT+ select ‘Alarms’ and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.

‘Role’ Reporting in the Users Audit

GAT+ has added ‘Role’ reporting to the Users Audit. This will be particularly helpful to Admins of large domains, who have many delegated admin users performing different roles.

How to Track Visitors and Editors

First, we have to find the file we would like to check the events for.

Finding the file can be as easy as opening the Drive Audit, then “Apply Custom Filter” search option which will allow us to search using various different search parameters.

For our example case here:
We select simple filter and just search for the File ID equals to: 1gOUqfrOmAQxULze

(Read this post to learn how to extract “File ID”)

After we find the file extracting the historical actions performed on the document, can be achieved as simple as selecting on the file and showing the events.

The result will display all events – view/edit/changed visibility actions occurred on the file.

You can also generate a report, to show new events associated to the file. It can be scheduled weekly and managers can be notified via email notifications.

Screenshot below will display the events of viewed and edit for certain file, and report will be generated weekly based on the date parameter we set up.

In this example, a weekly report will be generated showing events types View and Edit to this particular file.

It will run every weekend and date will be changed automatically to show us only the new information.

Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.

 

To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter

 

Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).

Find Inactive Accounts with GAT

To find inactive accounts with GAT, follow these steps:

In the GAT+, go to the ‘Users’ Audit and then select the ‘Basic’ tab.

Our first task is to find users who have not logged in during the past few weeks.

To do this we need to click on the ‘Apply custom filter’ button. When the menu appears, select the search parameter ‘Last login’ before or equal mm/dd/yyyy. In my example, I looked back for 2 months.

We can then export this list of accounts to Google Sheet or Download to CSV file.

If you want to suspend or remove these users in bulk, you can use the Import/Export feature in GAT+.

Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).

 

In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.

 

When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

Google Drive Use Productivity Measured

select users

In the new Drive UI, under Users audit, we have added a tab called Drive Productivity.
Once it is selected it shows the Drive Productivity for each individual user in the domain.
It shows all files owned by the user, the number of Public, Public with a link, Shared out, Internal, Private, G Suite docs, spreadsheets and presentations created/updated last week.
All this information is available just by selecting Drive productivity tab.  
The user can apply different filters on the top and gather different information and even schedule a report on the activities of the users for a certain period of time.
For example, you can schedule report for all users who created G Suite docs greater than 100 and generate a report every weekend.

Users Drive Filters

The general purpose of scheduling reports is to show user engagement with overall Google Drive environment.