data_sources/g_suite_gmail.yml

name: G Suite Gmail
id: 706c3978-41de-406b-b6e0-75bd01e12a5d
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs Gmail activities in G Suite, including email sending, receiving,
  and access details, as well as potential security-related events.
mitre_components:
- Application Log Content
- User Account Metadata
- Email Metadata
- Cloud Service Metadata
source: http:gsuite
sourcetype: gsuite:gmail:bigquery
supported_TA:
  - name: Splunk Add-on for Google Workspace
    url: https://splunkbase.splunk.com/app/5556
    version: 3.0.3
fields:
  - _time
  - action_type
  - attachment{}.file_extension_type
  - attachment{}.malware_family
  - attachment{}.sha256
  - connection_info.authenticated_domain{}.name
  - connection_info.authenticated_domain{}.type
  - connection_info.client_host_zone
  - connection_info.client_ip
  - connection_info.dkim_pass
  - connection_info.dmarc_pass
  - connection_info.dmarc_published_domain
  - connection_info.ip_geo_city
  - connection_info.ip_geo_country
  - connection_info.is_internal
  - connection_info.is_intra_domain
  - connection_info.smtp_in_connect_ip
  - connection_info.smtp_out_connect_ip
  - connection_info.smtp_out_remote_host
  - connection_info.smtp_reply_code
  - connection_info.smtp_response_reason
  - connection_info.smtp_tls_cipher
  - connection_info.smtp_tls_state
  - connection_info.smtp_tls_version
  - connection_info.smtp_user_agent_ip
  - connection_info.spf_pass
  - connection_info.tls_required_but_unavailable
  - description
  - destination{}.address
  - destination{}.rcpt_response
  - destination{}.selector
  - destination{}.service
  - destination{}.smime_decryption_success
  - destination{}.smime_extraction_success
  - destination{}.smime_parsing_success
  - destination{}.smime_signature_verification_success
  - eventtype
  - flattened_destinations
  - flattened_triggered_rule_info
  - host
  - index
  - is_policy_check_for_sender
  - is_spam
  - linecount
  - message_set{}.type
  - num_message_attachments
  - payload_size
  - punct
  - rfc2822_message_id
  - smime_content_type
  - smime_encrypt_message
  - smime_extraction_success
  - smime_packaging_success
  - smime_sign_message
  - smtp_relay_error
  - source
  - source.address
  - source.from_header_address
  - source.from_header_displayname
  - source.selector
  - source.service
  - sourcetype
  - spam_info
  - splunk_server
  - structured_policy_log_info
  - subject
  - tag
  - tag::eventtype
  - timestamp
  - upload_error_category
example_log:
  '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
  "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
  6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
  "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname":
  "john smith"}, "destination": [{"address": "peter@internal_test_email.com", "service":
  "smtp-outbound", "selector": "gmail-for-work", "smime_signature_verification_success":
  null, "smime_decryption_success": null, "smime_parsing_success": null, "smime_extraction_success":
  null, "rcpt_response": null}], "flattened_destinations": "smtp-outbound:gmail-for-work:peter@internal_test_email.com",
  "description": "", "connection_info": {"client_ip": "null", "smtp_in_connect_ip":
  null, "smtp_out_connect_ip": "null", "failed_smtp_out_connect_ip": [], "smtp_tls_state":
  1, "smtp_reply_code": 250, "tls_required_but_unavailable": false, "smtp_out_remote_host":
  "internal_test_app.com", "smtp_user_agent_ip": "null", "is_intra_domain": false,
  "dmarc_pass": null, "dmarc_published_domain": null, "client_host_zone": null, "smtp_response_reason":
  null, "ip_geo_city": null, "ip_geo_country": null, "authenticated_domain": [{"name":
  "internal_test_email.com", "type": 2}, {"name": "internal_test_email.com", "type":
  6}, {"name": "internal_test_email.com", "type": 1}], "is_internal": false, "dkim_pass":
  true, "spf_pass": true, "smtp_tls_version": "TLSv9.9", "smtp_tls_cipher": "TLS_AES"},
  "is_spam": null, "is_policy_check_for_sender": false, "num_message_attachments":
  1, "message_set": [{"type": 57}, {"type": 9}, {"type": 22}, {"type": 15}, {"type":
  48}, {"type": 27}, {"type": 10}, {"type": 50}, {"type": 51}, {"type": 46}, {"type":
  61}, {"type": 44}], "smtp_relay_error": null, "upload_error_category": null, "structured_policy_log_info":
  null, "triggered_rule_info": [], "flattened_triggered_rule_info": null, "smime_sign_message":
  null, "smime_encrypt_message": null, "smime_packaging_success": null, "smime_extraction_success":
  null, "smime_content_type": null, "link_domain": [], "attachment": [{"sha256": "1111111111111111111111111111111111111111111111111111111111111111",
  "file_extension_type": "zip", "malware_family": null}], "spam_info": null, "timestamp":
  1629378633.802384}'