All Apps and Add-ons

Google Apps for Splunk: How to track google file ownership changes?


My current search looks like this:

index=smt_gsuite sourcetype=gapps:report:drive "events{}.name"=change_user_access | stats count by,events{}.parameters{}.owner,events{}.parameters{}.target_user

This query seems to show me the person who initiated the access change, the owner of the file and the user who now has access to the file.

What I cant seem to figure out how to do is specifically write a search that shows "ownership changes" to files not just access changes.

Has anyone used the gsuite for splunk app and been able to write a search that shows ownership changes?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!