Scribd
Upload
19 views

SANS Cheatsheet Google-Workspace

Uploaded by

allensc
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

SANS Cheatsheet Google-Workspace

Uploaded by

allensc
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Google Workspace Artifact

Reference Guide
This reference guide provides a list of log events that are worth reviewing
when investigating Google Workspace incidents. The availability of some
events may be limited based on your subscription edition.

Admin Log Events Chat Log Events

• Admin privileges grant • Add privilege • Attachment downloaded • Invite accept


• 2-step verification • Assign role • Attachment uploaded • Room member added
• User creation • Add application to allowlist • Direct message started
• Data export initiated • All third-party API access
unblocked
• Change recovery email
• Delegated admin privileges
• Enable non-admin user
password recovery
grant Takeout Log Events

• User completed a takeout • User initiated a takeout


• User downloaded a takeout • User scheduled takeout(s)
Gmail Log Events

• Attachment download • Send


• Attachment link click • Autoforward User Accounts Log Events
• Link click • Late spam classification
• Open • User spam classification
Sign-in Activity
• Failed login • Successful login
• Leaked password • Suspicious login
Drive Log Events • Login challenge • Suspicious login
(less secure app)
• Login verification
• Suspicious programmatic login
• Logout
• Download • Shared drive settings change • User signed out due to
• Sensitive action allowed
• Edit • User sharing permissions suspicious session cookie
change
• Delete
Settings Changes
• Change access scope
• Trash
• Out of domain email forwarding • Account password change
• Change ACL editors
• Script trigger created enabled • Account recovery email change
• Change document visibility
• Owner changed • 2-step verification disable • Account recovery phone change
• Change shared drive
• Owner changed from parent • 2-step verification enroll
membership
folder
• Change user access from parent User suspended
• Change document visibility
folder • User suspended (spam through relay)
• User suspended (spam)
• User suspended (suspicious activity)
OAuth Log Events

• API call • Revoke


• Request • Deny
• Grant

You might also like