Google Drive access alert

iahmad · July 21, 2023, 6:30am

Hi , I am trying to create an Alert in Insight IDR for Google Drive Access from any web browser.
so if anyone access Google Drive from any browser I need to get the alert in IDR.

How I can configure this.

john_hartman · July 21, 2023, 12:18pm

My best guess is that the first requirement would be to have the Google apps event source configured and then go through the logs from the Google Apps event source. It’s been a while since I’ve seen those logs but there should be a field in the logs that mention the application in question being accessed. It’s very possible that you would need to check the box to say “send unparsed logs” to get those logs into IDR.

Typically that event source only pulls in the forensically valuable logs like the ingress authentications and alike so I’m not entirely sure what the log would look like coming from google for “opening google drive”

alee1 · July 24, 2023, 8:46am

I would guess you need an event source from a Browser control source like Netskope or Websense to monitor for access to Google drive. We currently block at that level for the vast majority of our users apart from a very select few who require it for their job function using Netskope which works pretty well fo us

iahmad · July 28, 2023, 6:01am

Hi John,

Really appreciate your feedbacks and efforts to help me.
So I have only three browsers installed on my endpoint - Chrome, FireFox & Edge and I need to get the alerts when ever any logged in user is accessing the Google Drive from the endpoints or windows laptops.

john_hartman · July 28, 2023, 5:09pm

Have you checked the DNS logs by chance to see the google drive endpoint URL or something?

iahmad · August 3, 2023, 4:56am

Hi John,

No I havent check the DNS log and will try to look onto it.
is it possible to get alert for accessing any URL like drive.google.com in the IDR ?

iahmad · August 3, 2023, 8:13am

Hi John,
I have checked the DSN log and found the data for users and assets which accessed drive.google.com.
is there a way to configure investigation or Alert for this DNS log ?

Thanks again

john_hartman · August 3, 2023, 2:16pm

Yes, you can create custom alerts on any event source available. It starts by writing the query to match the criteria that you’re looking for from the event sources in question. Then you would create a pattern detection alert and set the priority, threshold, and alerting frequency of the alert.
https://docs.rapid7.com/insightidr/create-and-manage-custom-alerts/