This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Workspace_Activity Download: Who done it?

Posted on 10-05-2023 01:36 PM
Leif_Tishendorf
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm looking at events in Chronicle with

metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "drive"
metadata.product_event_type = "download"

But I'm not seeing any field that would indicate who or where the files are downloaded.  I'm wondering if I'm not understanding something in the log events correctly, or if there is somewhere I'm not looking to correlate files downloaded with who or where they are downloaded?

Any pointers would be much appreciated.

Solved Solved
0 1 324
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
stein1
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

In the raw log from Workspace, the actor.email is the person who downloaded the file.  This actually gets translated to 2 places in the UDM - principal.user.email_addresses and security_result.about.email.  

In the raw log from Workspace, the ipAddress field has the IP that downloaded the file.  This is translated in the UDM to principal.ip, and then subsequently enriched in other principal.ip_geo_artifact fields.

Not all Workspace Drive activity "download" events will contain an ipAddress or actor.email.  Files that are shared publicly can be anonymously downloaded, in which case you will not get either field in the raw log from Workspace.  Files that are shared with other Google users outside of your Workspace domain, you may see the actor.email in the raw log from Workspace (if the Drive file is shared directly with that Google user and not just "anyone with the link").  For Drive download events by users outside of your Workspace domain (like @gmail.com), you will not get the ipAddress field.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
stein1
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

In the raw log from Workspace, the actor.email is the person who downloaded the file.  This actually gets translated to 2 places in the UDM - principal.user.email_addresses and security_result.about.email.  

In the raw log from Workspace, the ipAddress field has the IP that downloaded the file.  This is translated in the UDM to principal.ip, and then subsequently enriched in other principal.ip_geo_artifact fields.

Not all Workspace Drive activity "download" events will contain an ipAddress or actor.email.  Files that are shared publicly can be anonymously downloaded, in which case you will not get either field in the raw log from Workspace.  Files that are shared with other Google users outside of your Workspace domain, you may see the actor.email in the raw log from Workspace (if the Drive file is shared directly with that Google user and not just "anyone with the link").  For Drive download events by users outside of your Workspace domain (like @gmail.com), you will not get the ipAddress field.

Jump to Solution