/ forensics

Auditing GSuite Login Activity

Often times during incident response activities, the responder is overwhelmed with data. The need for tools to automate the analysis and enhancement of this data is crucial.

This is the concept behind many SIEM tools, as well as Cortex, the analyzer engine of one of my favorite incident response collaboration tools known as The Hive.

While Google makes many relevant reports available to admins of GSuite domains, the reports are certainly lacking from a DFIR perspective. That is what prompted me to begin working on a GSuite DFIR Response tool that would utilized the GSuite Admin SDK API for retrieving and enhancing GSuite log data during a compromise assessment, incident response or just routine security audit.

During a recent engagement, I realized the need to automate analysis of GSuite account login activity. So, out of recent necessity, I started this larger project by writing one of the many planned tools the suite will include. This tool enhances the Login Activity reports made available by the GSuite Admin console by adding geographic data.

Not only can we plot login activity on an interactive global map, but each plot contains metadata indicative of the activity type. For activities that should draw attention, circles are slightly larger, more opaque and are daring colors like red or orange. More common activities are smaller and a less alarming blue color. This behavior is easily customized and tweaked by editing the following dictionary found here.

    levels = {
        'warning': {
            'color': "Red",
            'opacity': 1,
            'size': 8,
            'triggers': ["failed"] # keywords that assign this level
            },
        'caution': {
            'color': "Orange",
            'opacity': 0.8,
            'size': 7,
            'triggers': ["challenge"]
            },
        'common': {
            'color': "Blue",
            'opacity': 0.6,
            'size': 6,
            'triggers': ["logged in", "logged out"]
            },
        }

Here's what it looks like on the map...

And with hover tooltips

For my recent use case, the most important observable had little to do with color coding... Simply seeing all of the plots and identifying the outliers was tremendously helpful.

This tool helped identify activity relevant to the incident response effort by immediately showing geographic login activity that was not normal for this domain.

Which of these logins is very much not like the others?

Unless you have employees in Nigeria, Israel or India, you probably should not see an employee account authenticating from these countries many times over the course of a few months.

Here is a fun interactive map using fake data. If it doesn't load, try refreshing the page. That file is hosted by Github, don't blame me ¯\_(ツ)_/¯

Do you know where your user's logins are coming from?

Simply export the CSV version of the Login Audit Report, install a few pre-requisites, run the script, and next thing you know you're looking at an interactive map of your domain's login activity.

Check it out on Github.

Eric Capuano

Eric Capuano

Eric Capuano is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEFCON.

Read More