Data Source: G Suite Gmail

Date: 2025-01-23

ID: 706c3978-41de-406b-b6e0-75bd01e12a5d

Author: Patrick Bareiss, Splunk

Description

Logs Gmail activities in G Suite, including email sending, receiving, and access details, as well as potential security-related events.

Details

Property	Value
Source	`http:gsuite`
Sourcetype	`gsuite:gmail:bigquery`

Supported Apps

Splunk Add-on for Google Workspace (version 3.0.4)

Event Fields

+ Fields


            1
            _time
          
            3
            action_type
          
            5
            attachment{}.file_extension_type
          
            7
            attachment{}.malware_family
          
            9
            attachment{}.sha256
          
            11
            connection_info.authenticated_domain{}.name
          
            13
            connection_info.authenticated_domain{}.type
          
            15
            connection_info.client_host_zone
          
            17
            connection_info.client_ip
          
            19
            connection_info.dkim_pass
          
            21
            connection_info.dmarc_pass
          
            23
            connection_info.dmarc_published_domain
          
            25
            connection_info.ip_geo_city
          
            27
            connection_info.ip_geo_country
          
            29
            connection_info.is_internal
          
            31
            connection_info.is_intra_domain
          
            33
            connection_info.smtp_in_connect_ip
          
            35
            connection_info.smtp_out_connect_ip
          
            37
            connection_info.smtp_out_remote_host
          
            39
            connection_info.smtp_reply_code
          
            41
            connection_info.smtp_response_reason
          
            43
            connection_info.smtp_tls_cipher
          
            45
            connection_info.smtp_tls_state
          
            47
            connection_info.smtp_tls_version
          
            49
            connection_info.smtp_user_agent_ip
          
            51
            connection_info.spf_pass
          
            53
            connection_info.tls_required_but_unavailable
          
            55
            description
          
            57
            destination{}.address
          
            59
            destination{}.rcpt_response
          
            61
            destination{}.selector
          
            63
            destination{}.service
          
            65
            destination{}.smime_decryption_success
          
            67
            destination{}.smime_extraction_success
          
            69
            destination{}.smime_parsing_success
          
            71
            destination{}.smime_signature_verification_success
          
            73
            eventtype
          
            75
            flattened_destinations
          
            77
            flattened_triggered_rule_info
          
            79
            host
          
            81
            index
          
            83
            is_policy_check_for_sender
          
            85
            is_spam
          
            87
            linecount
          
            89
            message_set{}.type
          
            91
            num_message_attachments
          
            93
            payload_size
          
            95
            punct
          
            97
            rfc2822_message_id
          
            99
            smime_content_type
          
            101
            smime_encrypt_message
          
            103
            smime_extraction_success
          
            105
            smime_packaging_success
          
            107
            smime_sign_message
          
            109
            smtp_relay_error
          
            111
            source
          
            113
            source.address
          
            115
            source.from_header_address
          
            117
            source.from_header_displayname
          
            119
            source.selector
          
            121
            source.service
          
            123
            sourcetype
          
            125
            spam_info
          
            127
            splunk_server
          
            129
            structured_policy_log_info
          
            131
            subject
          
            133
            tag
          
            135
            tag::eventtype
          
            137
            timestamp
          
            139
            upload_error_category
          
            141

...

not set

Example Log

1{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>", "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size": 6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work", "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname": "john smith"}, "destination": [{"address": "peter@internal_test_email.com", "service": "smtp-outbound", "selector": "gmail-for-work", "smime_signature_verification_success": null, "smime_decryption_success": null, "smime_parsing_success": null, "smime_extraction_success": null, "rcpt_response": null}], "flattened_destinations": "smtp-outbound:gmail-for-work:peter@internal_test_email.com", "description": "", "connection_info": {"client_ip": "null", "smtp_in_connect_ip": null, "smtp_out_connect_ip": "null", "failed_smtp_out_connect_ip": [], "smtp_tls_state": 1, "smtp_reply_code": 250, "tls_required_but_unavailable": false, "smtp_out_remote_host": "internal_test_app.com", "smtp_user_agent_ip": "null", "is_intra_domain": false, "dmarc_pass": null, "dmarc_published_domain": null, "client_host_zone": null, "smtp_response_reason": null, "ip_geo_city": null, "ip_geo_country": null, "authenticated_domain": [{"name": "internal_test_email.com", "type": 2}, {"name": "internal_test_email.com", "type": 6}, {"name": "internal_test_email.com", "type": 1}], "is_internal": false, "dkim_pass": true, "spf_pass": true, "smtp_tls_version": "TLSv9.9", "smtp_tls_cipher": "TLS_AES"}, "is_spam": null, "is_policy_check_for_sender": false, "num_message_attachments": 1, "message_set": [{"type": 57}, {"type": 9}, {"type": 22}, {"type": 15}, {"type": 48}, {"type": 27}, {"type": 10}, {"type": 50}, {"type": 51}, {"type": 46}, {"type": 61}, {"type": 44}], "smtp_relay_error": null, "upload_error_category": null, "structured_policy_log_info": null, "triggered_rule_info": [], "flattened_triggered_rule_info": null, "smime_sign_message": null, "smime_encrypt_message": null, "smime_packaging_success": null, "smime_extraction_success": null, "smime_content_type": null, "link_domain": [], "attachment": [{"sha256": "1111111111111111111111111111111111111111111111111111111111111111", "file_extension_type": "zip", "malware_family": null}], "spam_info": null, "timestamp": 1629378633.802384}

Source: GitHub | Version: 2