Data Source: G Suite Gmail

Description

Data source object for G Suite Gmail

Details

Property Value
Source http:gsuite
Sourcetype gsuite:gmail:bigquery

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action_type</span>
  
  <span class="pill kill-chain">attachment{}.file_extension_type</span>
  
  <span class="pill kill-chain">attachment{}.malware_family</span>
  
  <span class="pill kill-chain">attachment{}.sha256</span>
  
  <span class="pill kill-chain">connection_info.authenticated_domain{}.name</span>
  
  <span class="pill kill-chain">connection_info.authenticated_domain{}.type</span>
  
  <span class="pill kill-chain">connection_info.client_host_zone</span>
  
  <span class="pill kill-chain">connection_info.client_ip</span>
  
  <span class="pill kill-chain">connection_info.dkim_pass</span>
  
  <span class="pill kill-chain">connection_info.dmarc_pass</span>
  
  <span class="pill kill-chain">connection_info.dmarc_published_domain</span>
  
  <span class="pill kill-chain">connection_info.ip_geo_city</span>
  
  <span class="pill kill-chain">connection_info.ip_geo_country</span>
  
  <span class="pill kill-chain">connection_info.is_internal</span>
  
  <span class="pill kill-chain">connection_info.is_intra_domain</span>
  
  <span class="pill kill-chain">connection_info.smtp_in_connect_ip</span>
  
  <span class="pill kill-chain">connection_info.smtp_out_connect_ip</span>
  
  <span class="pill kill-chain">connection_info.smtp_out_remote_host</span>
  
  <span class="pill kill-chain">connection_info.smtp_reply_code</span>
  
  <span class="pill kill-chain">connection_info.smtp_response_reason</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_cipher</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_state</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_version</span>
  
  <span class="pill kill-chain">connection_info.smtp_user_agent_ip</span>
  
  <span class="pill kill-chain">connection_info.spf_pass</span>
  
  <span class="pill kill-chain">connection_info.tls_required_but_unavailable</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">destination{}.address</span>
  
  <span class="pill kill-chain">destination{}.rcpt_response</span>
  
  <span class="pill kill-chain">destination{}.selector</span>
  
  <span class="pill kill-chain">destination{}.service</span>
  
  <span class="pill kill-chain">destination{}.smime_decryption_success</span>
  
  <span class="pill kill-chain">destination{}.smime_extraction_success</span>
  
  <span class="pill kill-chain">destination{}.smime_parsing_success</span>
  
  <span class="pill kill-chain">destination{}.smime_signature_verification_success</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">flattened_destinations</span>
  
  <span class="pill kill-chain">flattened_triggered_rule_info</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">is_policy_check_for_sender</span>
  
  <span class="pill kill-chain">is_spam</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_set{}.type</span>
  
  <span class="pill kill-chain">num_message_attachments</span>
  
  <span class="pill kill-chain">payload_size</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">rfc2822_message_id</span>
  
  <span class="pill kill-chain">smime_content_type</span>
  
  <span class="pill kill-chain">smime_encrypt_message</span>
  
  <span class="pill kill-chain">smime_extraction_success</span>
  
  <span class="pill kill-chain">smime_packaging_success</span>
  
  <span class="pill kill-chain">smime_sign_message</span>
  
  <span class="pill kill-chain">smtp_relay_error</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">source.address</span>
  
  <span class="pill kill-chain">source.from_header_address</span>
  
  <span class="pill kill-chain">source.from_header_displayname</span>
  
  <span class="pill kill-chain">source.selector</span>
  
  <span class="pill kill-chain">source.service</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">spam_info</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">structured_policy_log_info</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">upload_error_category</span>
  
</div>

Example Log

1{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>", "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size": 6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work", "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname": "john smith"}, "destination": [{"address": "peter@internal_test_email.com", "service": "smtp-outbound", "selector": "gmail-for-work", "smime_signature_verification_success": null, "smime_decryption_success": null, "smime_parsing_success": null, "smime_extraction_success": null, "rcpt_response": null}], "flattened_destinations": "smtp-outbound:gmail-for-work:peter@internal_test_email.com", "description": "", "connection_info": {"client_ip": "null", "smtp_in_connect_ip": null, "smtp_out_connect_ip": "null", "failed_smtp_out_connect_ip": [], "smtp_tls_state": 1, "smtp_reply_code": 250, "tls_required_but_unavailable": false, "smtp_out_remote_host": "internal_test_app.com", "smtp_user_agent_ip": "null", "is_intra_domain": false, "dmarc_pass": null, "dmarc_published_domain": null, "client_host_zone": null, "smtp_response_reason": null, "ip_geo_city": null, "ip_geo_country": null, "authenticated_domain": [{"name": "internal_test_email.com", "type": 2}, {"name": "internal_test_email.com", "type": 6}, {"name": "internal_test_email.com", "type": 1}], "is_internal": false, "dkim_pass": true, "spf_pass": true, "smtp_tls_version": "TLSv9.9", "smtp_tls_cipher": "TLS_AES"}, "is_spam": null, "is_policy_check_for_sender": false, "num_message_attachments": 1, "message_set": [{"type": 57}, {"type": 9}, {"type": 22}, {"type": 15}, {"type": 48}, {"type": 27}, {"type": 10}, {"type": 50}, {"type": 51}, {"type": 46}, {"type": 61}, {"type": 44}], "smtp_relay_error": null, "upload_error_category": null, "structured_policy_log_info": null, "triggered_rule_info": [], "flattened_triggered_rule_info": null, "smime_sign_message": null, "smime_encrypt_message": null, "smime_packaging_success": null, "smime_extraction_success": null, "smime_content_type": null, "link_domain": [], "attachment": [{"sha256": "1111111111111111111111111111111111111111111111111111111111111111", "file_extension_type": "zip", "malware_family": null}], "spam_info": null, "timestamp": 1629378633.802384}

Source: GitHub | Version: 1