Google Workspace Overview

Welcome to our introductory series of posts designed to help you better understand user audit records from all kinds of SaaS systems. One of the major drivers behind what we’re building here at Turngate is the need to quickly gain clarity and understanding from a complex and interconnected pile of audit records. We’ve been digging through documentation, wiring up APIs, creating test data, and generally trying to get smarter on what all these logs mean and what’s useful to you. We’re taking that knowledge and codifying into our Turngate app with the goal of rapidly getting answers to questions about what’s happening in your enterprise - in this case, through a Google Workspace overview.

That said, we’ve been operators and system owners before. And we know that you don’t always have access to the tool you want to do your job. So, on the chance that you aren’t a Turngate customer (yet!), we’re launching our log overview blog series with the goal of making that part of your job easier. For every audit source we support, we’re going to provide you with some pointers and insight into how to access and gain understanding from the logs. Regardless if you’re a customer or not, we know you’re likely trying to solve a tactical problem right now and are trying to get the answer to “What the hell do all these logs mean?” Well, we’re here to help.

Introduction

Google Workspace. Is there anything it can’t do? It does mail, calendar, file-sharing, video conferencing, serves as an IdP, and integrates with a variety of third-party apps (probably slices, dices, and chops, too). For many organizations it’s the focal point of an employee’s experience. But with great power comes great complexity; Google Workspace is a fantastically complicated ecosystem that allows users (and attackers) to do more than you can imagine. 

Understanding what’s going on in your Google Workspace environment can be difficult. The good news: Google creates audit records that capture nearly every administrative and user activity on the platform. The bad news: Google’s documentation around these audit records can be confusing to access and understand.

As part of our work of providing clarity and understanding into Google Workspace audit records, Turngate staff has learned a ton about how the logging works and what to be on the lookout for. This article captures some of the high-level issues with Google Workspace audit logs as well as including the logs we look for when we’re doing investigations. If you’re interested in learning more about Turngate’s Google Workspace offering, contact us. If you just want to learn more about audit records through this Google Workspace overview, well then, read on.

Getting Access

There are two ways to access audit records for Google Workspace: via API, and via the Audit and Investigation web interface. API access is great if you want to pull all the logs into something like an ELK stack to do your own analysis and reporting of the audit data. That said, as with any API-based analysis, if this is new territory for you, there can be a steep learning curve to even get the data into a useful place, let alone get the answers you want from it. To simplify searching through audit logs, Google has an Audit and Investigation interface that directly searches the data in their infrastructure.

For those with more advanced Google Workspace licenses such as Enterprise Plus, Google also has an advanced Security Investigation tool. It’s a lightweight tool to manage investigative workflows and can provide useful insight (if you have access to it).

Accessing Logs via API

User and administrator audit records are accessed via the Google Workspace Reports API.  The Reports API is a RESTful interface that allows you to access all activity and usage data from Google and pull it into your own infrastructure. It’s part of the broader Admin SDK API, so obviously you’ll need to be an administrator to set up API access.

Accessing records of what your users are doing within Google Workspace is one of numerous highly sensitive activities an administrator can do. If you haven’t already, consider buying hardware tokens and requiring them for administrators in Google Workspace. There are several good options for hardware tokens but at Turngate we prefer Yubikey. YMMV of course, but honestly any hardware token is a HUGE step forward from using a software time-based one time password (TOTP) application. 

Accessing the Audit and Investigation Interface

In your Admin Console, navigate to Reporting -> Audit and Investigation and you’ll see the universe of audit records that you can search against. The search interface contains all the usual boolean operators and allows for some filtering to make logs easier to dig through.

The Audit and Investigation interface splits audit records into sections based on the type of activity; for instance, there are separate sections for Google Meet, Google Drive, LDAP events, SAML events, and hosts of others. This is great if you know exactly what you’re looking for because Google allows you to drill quickly into each service and search for the data you want. The challenge becomes if you’re not sure what you’re looking for or you’re trying to cross-correlate events between services. Be prepared to have lots of open tabs.

Understanding the Log Structure

From a raw formatting perspective, the Google Workspace logs are relatively easy to understand. Logs accessed via the API are supplied via JSON and are documented on Google’s website. If you haven’t worked with JSON data before, don’t fear. JSON is designed to be easy to parse programmatically, and Python makes it particularly straightforward (see this JSON in Python tutorial if you’re looking for a place to get started). 

If you’d rather use the Google Admin interface to access the logs, that’s cool too. In the Audit and Investigation section of the Reporting interface you can dig into the logs by service. The interface is tabular and you can generate reports in CSV to easily slice and dice the results. Some folks prefer Excel for working with CSVs, but honestly it’s incredible the work you can do with grep, cut, awk, and other Unix command line utilities. We’ll tackle that in a future blog post.

Be forewarned that different services log different attributes of access. So don’t expect the types of log data from Google Meet to be the same at Google Drive, for example. The vast majority of log entries will have a datestamp, an actor (ie: the account that did the action), and the IP address of the actor. Beyond that the attributes are highly contextual. The best way to understand what’s in each log entry is to dig into each application and familiarize yourself with the audit data.

Audit Entries of Interest

Obviously, when working a security investigation, the specifics of what you’re looking for vary based on the situation. However, there are some general events that we key into for basic understanding of what’s happening in Google Workspace and how an account is behaving. If you’re digging through on  your own, here are some important audit entries to look for:

‍

These are just a few examples of the hundreds of log types that Google Workspace creates. One of the great features of Google Workspace is also one of the largest concerns; Google logging is prolific and organized by application. In order to find what you want, first you need to know what you’re looking for, then you must figure out where to find it. Some logs are intuitive, others are not. It’s best to practice before you need to perform a real investigation.

Conversely, if you want someone to help you understand these logs quickly, you can check out our Turngate product. We can expedite analyzing Google Workspace logs by reducing investigations that often take hours into something that takes just a few minutes. We’ve got a Starter version that’s free to use and lets you get up and running with just a few clicks.

Google Workspace Administrator activity is generally speaking in caps:

DELEGATED_ADMIN
DOMAIN_SETTINGS
DOC_SETTINGS
SECURITY_SETTINGS
SITES_SETTINGS
APPLICATION_SETTINGS
USER_SETTINGS

This is an easy (but not foolproof) way to show that an administrator has made a configuration change. In a small set of cases Google Workspace regular activity is also in caps because a specific product team decides their product should also have all caps logs, for example:

data_studio.EDIT
jamboard.SCREENSAVER_TIMEOUT_CHANGE

Just like all squares are rectangles but not all rectangles are squares, all admin activities are all caps, but not all non-admin activities are lowercase.

PI and Confidential Information Considerations

Unsurprisingly, there is a lot of sensitive information in Google Workspace logs. All activity of all enterprise users is captured somewhere in the logs. Plus, many of these logs contain metadata beyond just account and IP information. Google Drive audit records will contain filenames and who specifically has been granted access to those files. While Jim in Accounting having access to “Untitled.txt” does leak much information, the entire executive team creating and actively editing “Employees to cut in upcoming RIF.doc” sure does have meaning. 

Google audit records are only available to those with administrative access to Google Workspace. However, if you export logs, be sure to properly secure them. Be aware that all logs will contain personal information and some will contain highly confidential information that needs to be protected according to your corporate security policies. Now is a good time to mention again that all administrative accounts should be protected with strong second-factor authentication like hardware token.

Parting Thoughts

Google has created a comprehensive audit log of user activity in Google Workspace, but honestly, its thorough approach can be a bit overwhelming and clunky to interact with while still finding the data you want (which is why we wrote this Google Workspace overview). However, we’d much rather have an overwhelming amount of data to shift through than no data at all. In general, Google makes it possible to answer the foundational questions of “Who had access to what, when, and what did they do with it?” 

They just don’t make it easy to find that answer. If you want easy, sign up today for information about our upcoming launch.