Data Source: G Suite Gmail

Date: 2025-01-23

ID: 706c3978-41de-406b-b6e0-75bd01e12a5d

Author: Patrick Bareiss, Splunk

Description

Logs Gmail activities in G Suite, including email sending, receiving, and access details, as well as potential security-related events.

Details

Property	Value
Source	`http:gsuite`
Sourcetype	`gsuite:gmail:bigquery`

Name ▲▼	Technique ▲▼	Type ▲▼
GSuite Email Suspicious Attachment	Spearphishing Attachment	Anomaly
Gsuite Email Suspicious Subject With Attachment	Spearphishing Attachment	Anomaly
Gsuite Email With Known Abuse Web Service Link	Spearphishing Attachment	Anomaly
Gsuite Outbound Email With Attachment To External Domain	Exfiltration Over Unencrypted Non-C2 Protocol	Hunting

Supported Apps

Splunk Add-on for Google Workspace (version 3.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action_type</span>
  
  <span class="pill kill-chain">attachment{}.file_extension_type</span>
  
  <span class="pill kill-chain">attachment{}.malware_family</span>
  
  <span class="pill kill-chain">attachment{}.sha256</span>
  
  <span class="pill kill-chain">connection_info.authenticated_domain{}.name</span>
  
  <span class="pill kill-chain">connection_info.authenticated_domain{}.type</span>
  
  <span class="pill kill-chain">connection_info.client_host_zone</span>
  
  <span class="pill kill-chain">connection_info.client_ip</span>
  
  <span class="pill kill-chain">connection_info.dkim_pass</span>
  
  <span class="pill kill-chain">connection_info.dmarc_pass</span>
  
  <span class="pill kill-chain">connection_info.dmarc_published_domain</span>
  
  <span class="pill kill-chain">connection_info.ip_geo_city</span>
  
  <span class="pill kill-chain">connection_info.ip_geo_country</span>
  
  <span class="pill kill-chain">connection_info.is_internal</span>
  
  <span class="pill kill-chain">connection_info.is_intra_domain</span>
  
  <span class="pill kill-chain">connection_info.smtp_in_connect_ip</span>
  
  <span class="pill kill-chain">connection_info.smtp_out_connect_ip</span>
  
  <span class="pill kill-chain">connection_info.smtp_out_remote_host</span>
  
  <span class="pill kill-chain">connection_info.smtp_reply_code</span>
  
  <span class="pill kill-chain">connection_info.smtp_response_reason</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_cipher</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_state</span>
  
  <span class="pill kill-chain">connection_info.smtp_tls_version</span>
  
  <span class="pill kill-chain">connection_info.smtp_user_agent_ip</span>
  
  <span class="pill kill-chain">connection_info.spf_pass</span>
  
  <span class="pill kill-chain">connection_info.tls_required_but_unavailable</span>
  
  <span class="pill kill-chain">description</span>
  
  <span class="pill kill-chain">destination{}.address</span>
  
  <span class="pill kill-chain">destination{}.rcpt_response</span>
  
  <span class="pill kill-chain">destination{}.selector</span>
  
  <span class="pill kill-chain">destination{}.service</span>
  
  <span class="pill kill-chain">destination{}.smime_decryption_success</span>
  
  <span class="pill kill-chain">destination{}.smime_extraction_success</span>
  
  <span class="pill kill-chain">destination{}.smime_parsing_success</span>
  
  <span class="pill kill-chain">destination{}.smime_signature_verification_success</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">flattened_destinations</span>
  
  <span class="pill kill-chain">flattened_triggered_rule_info</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">is_policy_check_for_sender</span>
  
  <span class="pill kill-chain">is_spam</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_set{}.type</span>
  
  <span class="pill kill-chain">num_message_attachments</span>
  
  <span class="pill kill-chain">payload_size</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">rfc2822_message_id</span>
  
  <span class="pill kill-chain">smime_content_type</span>
  
  <span class="pill kill-chain">smime_encrypt_message</span>
  
  <span class="pill kill-chain">smime_extraction_success</span>
  
  <span class="pill kill-chain">smime_packaging_success</span>
  
  <span class="pill kill-chain">smime_sign_message</span>
  
  <span class="pill kill-chain">smtp_relay_error</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">source.address</span>
  
  <span class="pill kill-chain">source.from_header_address</span>
  
  <span class="pill kill-chain">source.from_header_displayname</span>
  
  <span class="pill kill-chain">source.selector</span>
  
  <span class="pill kill-chain">source.service</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">spam_info</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">structured_policy_log_info</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">upload_error_category</span>
  
</div>

Example Log

1{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>", "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size": 6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work", "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname": "john smith"}, "destination": [{"address": "peter@internal_test_email.com", "service": "smtp-outbound", "selector": "gmail-for-work", "smime_signature_verification_success": null, "smime_decryption_success": null, "smime_parsing_success": null, "smime_extraction_success": null, "rcpt_response": null}], "flattened_destinations": "smtp-outbound:gmail-for-work:peter@internal_test_email.com", "description": "", "connection_info": {"client_ip": "null", "smtp_in_connect_ip": null, "smtp_out_connect_ip": "null", "failed_smtp_out_connect_ip": [], "smtp_tls_state": 1, "smtp_reply_code": 250, "tls_required_but_unavailable": false, "smtp_out_remote_host": "internal_test_app.com", "smtp_user_agent_ip": "null", "is_intra_domain": false, "dmarc_pass": null, "dmarc_published_domain": null, "client_host_zone": null, "smtp_response_reason": null, "ip_geo_city": null, "ip_geo_country": null, "authenticated_domain": [{"name": "internal_test_email.com", "type": 2}, {"name": "internal_test_email.com", "type": 6}, {"name": "internal_test_email.com", "type": 1}], "is_internal": false, "dkim_pass": true, "spf_pass": true, "smtp_tls_version": "TLSv9.9", "smtp_tls_cipher": "TLS_AES"}, "is_spam": null, "is_policy_check_for_sender": false, "num_message_attachments": 1, "message_set": [{"type": 57}, {"type": 9}, {"type": 22}, {"type": 15}, {"type": 48}, {"type": 27}, {"type": 10}, {"type": 50}, {"type": 51}, {"type": 46}, {"type": 61}, {"type": 44}], "smtp_relay_error": null, "upload_error_category": null, "structured_policy_log_info": null, "triggered_rule_info": [], "flattened_triggered_rule_info": null, "smime_sign_message": null, "smime_encrypt_message": null, "smime_packaging_success": null, "smime_extraction_success": null, "smime_content_type": null, "link_domain": [], "attachment": [{"sha256": "1111111111111111111111111111111111111111111111111111111111111111", "file_extension_type": "zip", "malware_family": null}], "spam_info": null, "timestamp": 1629378633.802384}

Source: GitHub | Version: 2