Govern, Audit and Control G Suite with Microsoft! (Google Apps + Cloud App Security)

Does your organization use G Suite or Google Apps? Do you have these requirements?

  • Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
  • Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
  • Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
  • Scan files in G Suite for sensitive data?
  • And more!

In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!

Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.

Configure G Suite within Microsoft Cloud App Security:

From within Cloud App Security, click Investigate then select Connected Apps:


 

Click the + sign and select G Suite:


Type in a name and click Connect G Suite:


We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:

Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:


Give the project a name and click Create Project


Click Google Cloud Platform then click Go To APIs Overview:


Click API Library and enable the following APIs:





Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:


Back on the Credentials tab click Create Credentials and select Service Account Key:


Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.


Back on the Credentials screen click Manage Service Accounts


Edit the Service Account:


Check the box next to Enable G Suite Domain Wide Delegation and click Save:


In the search box at the top type Google Drive API and press Enter


Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:



In the search box type G Suite Marketplace
SDK and press Enter


On the Configuration tab, copy the Project Number to a scratch pad area:


Upload the same icons you used previously, and configure the following URLs:


Configure the following URL scopes:

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.reports.usage.readonly

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.appdata

https://www.googleapis.com/auth/drive.apps.readonly

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/drive.metadata.readonly

https://www.googleapis.com/auth/drive.readonly

https://www.googleapis.com/auth/drive.scripts

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/admin.directory.user.security

https://www.googleapis.com/auth/admin.directory.user.alias

https://www.googleapis.com/auth/admin.directory.orgunit

https://www.googleapis.com/auth/admin.directory.notifications

https://www.googleapis.com/auth/admin.directory.group.member

https://www.googleapis.com/auth/admin.directory.group

https://www.googleapis.com/auth/admin.directory.device.mobile.action

https://www.googleapis.com/auth/admin.directory.device.mobile

https://www.googleapis.com/auth/admin.directory.user

 


 

Under Visibility select My Domain and click Save Changes:

 


 

Browse back to

Microsoft Teams: Audit Log of Activity

Introduction: The purpose of this blog post is to describe how to use the audit log in Office 365 to understand what changes occurred in Microsoft Teams, when and by whom. For example, the date and time when a team was deleted and who deleted it. This can be extremely powerful evidence when conducting investigations.

What is the audit log? The audit log is a reporting tool that allows you to view both user and IT admin activity in Office 365. For example, when a user’s password wash changed and by whom in IT, or when a user accessed their mailbox and the activity they performed while connected. This log is a unified log and all activities are recorded in a centralized location allowing you to search them through a single console. The following services can be searched for user and administrator activity:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory
  • Sway
  • Microsoft Teams
  • Power BI
  • Yammer
  • Dynamics 365
  • File activities
  • Page activities
  • Folder activities
  • Sharing and access request activities
  • Synchronization activities
  • Site administration
  • Role administration activities
  • eDiscovery

How long is data stored? Activity in the audit log is stored for 90 days.

How do I access the audit log? The audit log is accessible in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. It can also be accessed via the Office 365 Management API in addition it can also be accessed via PowerShell using Search-UnifiedAuditLog, see this article for more information.

How do I enable the audit log? By default, the audit log is disabled in your Office 365 tenant. In order for the activity to be recorded and searchable, the log needs to be enabled. Note, the audit log can be connected to a SIEM (Security Incident and Event Manager) via the Office 365 Management API. See this article for more information. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

In addition, the audit log can be turned on using PowerShell:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

 

What activity in Microsoft Teams is recorded? The following user and admin activity in Microsoft Teams is recorded to the Office 365 audit log:

  • Created team
  • Deleted team
  • Added channel
  • Deleted channel
  • Changed organization setting
  • Changed team setting
  • Changed channel setting
  • Changed setting (legacy)
  • User signed in to Teams
  • Added bot to team
  • Removed bot from team
  • Added Tab
  • Removed tab
  • Added connector
  • Removed Connector

How long does it take for activity to be written to the audit log? After the activity has been performed in the tenant (i.e deleting a team) it can take up to 24 hours for that activity to be written to the audit log.

How do I search the audit log? You can search the audit log by specifying start/end dates/times, specific user accounts, or specific files, folders or sites.

What does the Microsoft Teams activity look like in the audit log? Below are screenshots of how Microsoft Teams activities appear in the audit log.

Filtering on Microsoft Teams:


Activity in the search results:


Details of a specific activity, in this example deleting a team:


Clicking on the hyperlink of the user’s email address, then clicking the Recent Activity tab, allows me to see all recorded activity by that user in Microsoft Teams:

Can I be alerted on specific activity?

In addition, I can create an alert for when specific activity occurs. In the search console click New Alert Policy. I will then title the alert “Microsoft Teams deleted team activity”, with a custom alert type and filter on just the Deleted team. I will then ask it to send alerts to my global administrator and click Save when finished.

Conclusion: Activity that a user and administrator performs in Microsoft Teams gets written to a centralized log enabling IT to search the log to provide evidence during either an investigation, routine audits or to be alerted when changes happen within the environment. If you have feedback, input or comments please let me know below. Enjoy!