LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Microsoft Office 365 (O365)
  • Google Workspace (GWS)

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Tornado (Preview Version)

Tornado Collectors

Microsoft Office 365 (O365)

Mail Data

  • Mail Collection: Collects users' emails, including sent, received, and stored messages, to analyze communication patterns and user preferences.

Entra Data

  • Entra Sign-In Logs: Detailed logs of user sign-in activities, including timestamps, IP addresses, device information, and authentication status, for monitoring and analyzing access behavior.

  • Entra Audit Logs: Records of administrative actions and configuration changes within the Microsoft Entra environment, providing insights into system modifications and security settings.


Google Workspace (GWS)

Mail Data

  • Mail Collection: This feature collects users' emails, including sent, received, and stored messages, to analyze communication patterns and preferences.

  • Email History Information: Provides detailed records of sent and received emails.

  • Label Usage Information: Tracks how users organize their emails using labels.

  • Email Settings Information: Captures email account settings, including signatures, filters, and auto-responders.

Gmail History Collection in Tornado

When selecting 'Gmail History' as the data type for a collection in Tornado, you’ll be required to enter History IDs. These are unique markers provided by Gmail that indicate the starting point for collecting changes in a mailbox.

What Are History IDs?

  • History IDs are part of Gmail’s change tracking system, used to fetch updates like email additions, deletions, or modifications.

  • They specify the point in the mailbox history from which the collection will start.

What If I Don’t Know the History ID?

  • If you’re unsure of the History ID, Tornado won’t be able to proceed with the Gmail History collection. This is because Gmail requires a valid History ID to determine where to start collecting data.

  • For most users, History IDs are not something you’ll commonly know or have readily available.

How to Find a History ID:

  • From Previous Collections: Tornado logs the last History ID from completed Gmail collections. You can find this in the case details or logs.

  • Using the Gmail API: Advanced users can query the Gmail API (e.g., users.history.list) to fetch the latest History ID.

Best Practices:

  • For initial collections or if you don’t need incremental updates, consider selecting other Gmail data types, such as 'Mail Data', which does not require a History ID.

Drive Activities

  • Drive Usage Activities: This feature tracks activities on Google Drive, such as file sharing, editing, and viewing history.

Reports Data

  • Access Transparency Reports: Logs of access actions performed through Google's systems for transparency.

  • Admin Activity Reports: Records of admin actions and activities.

  • Calendar Usage Reports: Provides data on Google Calendar usage and event details.

  • Chat Messaging Data: Analyzes user interactions and messaging habits in Google Chat.

  • Browser Usage Reports: Tracks activity and usage data from the Chrome browser.

  • Context-Aware Access Reports: Reports on conditional access settings, such as device or location-based access.

  • Data Studio Reports: Visualizations and insights created using Google Data Studio.

  • Drive Storage Reports: General reports on storage usage and file-sharing activities in Google Drive.

  • Google Cloud Platform Usage Reports: Logs of usage and activity on Google Cloud Platform (GCP).

  • Google+ Usage History: Historical data for the discontinued Google+ service.

  • Group Usage Information: Data on usage and interactions in Google Groups.

  • Enterprise Group Usage Reports: Advanced insights into enterprise-level group usage.

  • Jamboard Activity Information: Tracks activities related to Jamboard devices and software.

  • Keep Notes Information: Analyzes note-taking and list management habits in Google Keep.

  • User Login Reports: Logs of user account login and logout activities.

  • Google Meet Meeting Reports: Participation and usage details for Google Meet meetings.

  • Mobile Usage Reports: Usage data for Google Workspace applications on mobile devices.

  • Policy and Rules Reports: Tracks policies and rules applied in Google Workspace.

  • SAML Authentication Reports: Logs of SAML-based authentication processes.

  • Token Usage Reports: Insights into OAuth tokens and their activities.

  • User Account Reports: General reports on user accounts.

  • Archive and Data Retention Reports: Insights into Google Vault usage for archiving and data retention.

Admin Data

  • Chrome OS Device Information: Management data for Chrome OS devices.

  • Mobile Device Management Information: Tracks data from mobile device management (MDM) systems.

  • Role Definition Information: Details roles and permissions within Google Workspace.

  • Role Assignment Information: Tracks roles and responsibilities assigned to users.

  • User Information: Provides detailed information about user accounts and profiles.

  • Domain Management Information: Logs of domains defined under Google Workspace.


PreviousTornado TerminologyNextAccessing Google Workspace

Last updated 4 months ago

Was this helpful?