Introduction #
With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.
Servers on your LANs that have been breached, no matter what the path, will leave a packet trace that you can follow up to a suspicious device.
There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow. In the Google cloud, how do you identify such suspicious activity?
Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data? One tool GAT provides is ‘User Logins’.
Events Generated by Google Workspace Users #
Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.
The screenshot above is from ‘Events tab’ and will give the big-picture view of worldwide accesses to your domain.
Are there logins from unexpected locations?
Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.
Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.
For example, an Admin can search for all events with status “Login failure” this will fetch all the metadata results and it will displayed them on the map where these events actually occurred and also generate table for this.
Login IP Analysis #
In this tab, you can analysis unique Login IP and their corresponding locations. Each location may have a number of users connected.
Correcting Location of an IP address #
If you wish to correct of a given IP to make it more accurate. Use this Post to learn how. User Logins IP/Location Correction