Giter Club home page Giter Club logo

drivewatch's Introduction

Drivewatch

Thinkst Applied Research

Overview

Drivewatch allows you to monitor your companies Google Drive for suspicious activity. It makes use of the Google Reports API: https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started.

Installation

The API is supported on python 2.7. Install the dependencies using:

pip install -r REQUIREMENTS.txt

For instructions on installing python and pip see "The Hitchhiker's Guide to Python" Installation Guides.

Note: This has currently only been tested on MacOS and Linux systems. There may be some small hiccups on Windows boxes.

Required Steps

In order to use Drivewatch you will need a few things including: an account with Administrator privileges for the GSuite Domain and a project in the Google cloud console.

Follow these steps to get the Google side of things setup:

A new project will need to be created at https://console.cloud.google.com and the relevant APIs enabled. In this case the enabled applications are the "Admin SDK" and the "Apps Activity API".

Once the project has been created a new OAuth 2.0 Client ID will need to be created. This may be done under the Credentials tab of the newly created project. Keep the Client ID handy. Note: You'll also want to download the client_secret.json file here and make sure it's called "client_secret.json". You can replace the "client_secret.json" in the Drivewatch folder with this.

Now log into the admin homepage (Google Admin - Google Accounts) and navigate to Security Settings and then head to Advanced. Under advanced you will see a Authentication section, click Manage API client access. This will bring up a new page. This is were that OAuth Client ID will come in handy. Create a new access rule using the Client ID in the Client Name field and the following for the Scopes field: https://www.googleapis.com/auth/admin.reports.audit.readonly. This will give the OAuth user access to the Reports API.

All that's needed now is to run the tool and login via OAuth. Note: Make sure you are logged into the Admin account in your browser as this is required for the OAuth auth step to work correctly.

Alert Types

Document Tokens: A specific document is monitored for acitivity. If the document is viewed for example, an alert is generated.

User Tokens: A particular user is watched to monitor any activity that takes place in his/her drive. Note: User tokens will not be triggered by the User being tokened.

Threshold: Passive monitoring. Applies to all users in the organization. If a user views more than 30 unique documents within 24 hours, an alert is fired.

Baseline: Passive monitoring. Applies to all users in the organization. When the tool is first launched the history of each user (activity up to 180 days old) is parsed to build a baseline for each user. This is used to determine the average daily activity for each user. If a user goes above 120% of their average daily drive activity, an alert is fired. This baseline is updated every 24 hours.

Syslog Integration

Syslog is enabled by default. The messages are sent with the "drivewatch" program-name and are of the log level CRITICAL. These are logged to the local machine. Remote logging will need to be configured in the syslog daemon's config.

Configuration

Configuring the tool is done via the file "config.json". Document tokens and User tokens can be specified here. Logging can also be enabled but is not recommended as it logs all Drive activity. Look at the "cfgs" directory for examples.

Running the tool

Now for the fun part! To run the tool simply run:

python driveWatch.py

If this is your first time running the tool you will be directed to a new tab on your web browser with steps to complete OAuth authentication. This will only need to be done once.

Now just sit back and relax while the alerts come through!

Discussion and Support

Please file bugs and feature requests as issues on GitHub after first searching to ensure a similar issue was not already filed. If such an issue already exists please give it a thumbs up reaction. Comments to issues containing additional information are certainly welcome.

License

The Drivewatch tool source (v1.0.0+) is provided under the Revised BSD License.

  • Copyright (c), 2017, Thinkst Applied Research

drivewatch's People

Contributors

mclmax avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

tubbz-alt

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.