All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Google Apps for Splunk: How to track google file ownership changes?

summitsplunk
Communicator
‎06-11-2019 06:09 PM

My current search looks like this:

index=smt_gsuite sourcetype=gapps:report:drive "events{}.name"=change_user_access | stats count by actor.email,events{}.parameters{}.owner,events{}.parameters{}.target_user

This query seems to show me the person who initiated the access change, the owner of the file and the user who now has access to the file.

What I cant seem to figure out how to do is specifically write a search that shows "ownership changes" to files not just access changes.

Has anyone used the gsuite for splunk app and been able to write a search that shows ownership changes?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...