IBM QRadar’s integration with Google G Suite Activity Reports and visibility of threat coverage across the MITRE ATT&CK framework

QRadar now has visibility into monitoring audit activity events from the following types; Login, User Account, Google Drive, and Admin, that are generated within your Google G Suite platform.

Overview

This integration provides an analyst insight into a few use cases below;

• Account disabled because Google has detected a suspicious activity indicating it might have been compromised
• User's information downloaded as CSV
• User had admin privileges revoked
• Actor has changed account recovery secret question/answer
• Actor changed user's sharing permissions
• Actor moved an item from source folder to destination folder
• User has been suspended

Getting started

To get started, you can download the Google G Suite DSM and Protocol from IBM Fix Central. I’m using the QRadar Log Source Management to configure and test my Google G Suite log source, and the testing feature for this log source is extremely useful as it runs through a handful of tests cases to ensure that your connection settings to the Google G Suite platform is valid. In my scenario below, I had an invalid User Account in my configuration.

I went into my Google G Suite account to verify my User Account information and I was able to rectify my credentials, ran the test again in QRadar, and I can see that I can now collect login, admin, google drive and user account events!

Another handy feature in the Log Source Management app, is that you can select your Google G Suite log source, and it takes you to a pre-filtered query in the Log Activity window of events associated to that log source.

Now that we’ve confirmed that we’re getting events, what next?

In my scenario, I’ve leveraged the QRadar Use Case Manager to manage and tune any threat detection use cases that is in my environment.

I’ve selected the default template for ‘Log Source types per rule’ as I want to understand why/how the rule is related to my Google G Suite log source.

Note: A rule in this case is considered related to log source types if it directly references the log source type or if it references a log source, QID, or event category that maps to the log source type.

I can clearly see the rules that are associated to my Google G Suite log source, such as; Multiple Login Failures to the Same Destination, Chained Exploit Followed by Suspicious Events, Multiple Login Failures from the Same Source and more.

I can further investigate the rule, Multiple Login Failures to the Same Destination, to visually understand your ability to detect threats based on MITRE ATT&CK tactics and techniques.

 

To conclude, you can monitor Google G Suite Audit Activity events (Login, Admin, Google Drive, User Accounts) in QRadar today, for visibility into a how your account’s users edit and view Google Drive documents, your account’s users login and logout activity, and more! For enhanced content, you can further investigate the rules using the QRadar Use Case Manager to help you ensure that QRadar is optimally configured to accurately detect threats throughout the attack chain.