# Tornado Collectors

### **Microsoft Office 365 (O365)**

**Mail Data**

* **Mail Collection**: Collects users' emails, including sent, received, and stored messages, to analyze communication patterns and user preferences.

**Entra Data**

* **Entra Sign-In Logs**: Detailed logs of user sign-in activities, including timestamps, IP addresses, device information, and authentication status, for monitoring and analyzing access behavior.
* **Entra Audit Logs**: Records of administrative actions and configuration changes within the Microsoft Entra environment, providing insights into system modifications and security settings.

***

### **Google Workspace (GWS)**

#### **Mail Data**

* **Mail Collection: This feature collects users' emails, including sent, received, and stored messages, to analyze communication patterns and preferences.**
* **Email History Information**: Provides detailed records of sent and received emails.
* **Label Usage Information**: Tracks how users organize their emails using labels.
* **Email Settings Information**: Captures email account settings, including signatures, filters, and auto-responders.

{% hint style="warning" %}
**Gmail History Collection in Tornado**

When selecting **'Gmail History'** as the data type for a collection in Tornado, you’ll be required to enter **History IDs**. These are unique markers provided by Gmail that indicate the starting point for collecting changes in a mailbox.

**What Are History IDs?**

* History IDs are part of Gmail’s change tracking system, used to fetch updates like email additions, deletions, or modifications.
* They specify the point in the mailbox history from which the collection will start.

**What If I Don’t Know the History ID?**

* If you’re unsure of the History ID, Tornado won’t be able to proceed with the Gmail History collection. This is because Gmail requires a valid History ID to determine where to start collecting data.
* For most users, History IDs are not something you’ll commonly know or have readily available.

**How to Find a History ID:**

* **From Previous Collections**: Tornado logs the last History ID from completed Gmail collections. You can find this in the case details or logs.
* **Using the Gmail API**: Advanced users can query the Gmail API (e.g., `users.history.list`) to fetch the latest History ID.

**Best Practices:**

* For initial collections or if you don’t need incremental updates, consider selecting other Gmail data types, such as **'Mail Data'**, which does not require a History ID.
  {% endhint %}

#### **Drive Activities**

* **Drive Usage Activities: This feature tracks activities on Google Drive, such as file sharing, editing, and viewing history.**

#### **Reports Data**

* **Access Transparency Reports**: Logs of access actions performed through Google's systems for transparency.
* **Admin Activity Reports**: Records of admin actions and activities.
* **Calendar Usage Reports**: Provides data on Google Calendar usage and event details.
* **Chat Messaging Data**: Analyzes user interactions and messaging habits in Google Chat.
* **Browser Usage Reports**: Tracks activity and usage data from the Chrome browser.
* **Context-Aware Access Reports**: Reports on conditional access settings, such as device or location-based access.
* **Data Studio Reports**: Visualizations and insights created using Google Data Studio.
* **Drive Storage Reports**: General reports on storage usage and file-sharing activities in Google Drive.
* **Google Cloud Platform Usage Reports**: Logs of usage and activity on Google Cloud Platform (GCP).
* **Google+ Usage History**: Historical data for the discontinued Google+ service.
* **Group Usage Information**: Data on usage and interactions in Google Groups.
* **Enterprise Group Usage Reports**: Advanced insights into enterprise-level group usage.
* **Jamboard Activity Information**: Tracks activities related to Jamboard devices and software.
* **Keep Notes Information**: Analyzes note-taking and list management habits in Google Keep.
* **User Login Reports**: Logs of user account login and logout activities.
* **Google Meet Meeting Reports**: Participation and usage details for Google Meet meetings.
* **Mobile Usage Reports**: Usage data for Google Workspace applications on mobile devices.
* **Policy and Rules Reports**: Tracks policies and rules applied in Google Workspace.
* **SAML Authentication Reports**: Logs of SAML-based authentication processes.
* **Token Usage Reports**: Insights into OAuth tokens and their activities.
* **User Account Reports**: General reports on user accounts.
* **Archive and Data Retention Reports**: Insights into Google Vault usage for archiving and data retention.

#### **Admin Data**

* **Chrome OS Device Information**: Management data for Chrome OS devices.
* **Mobile Device Management Information**: Tracks data from mobile device management (MDM) systems.
* **Role Definition Information**: Details roles and permissions within Google Workspace.
* **Role Assignment Information**: Tracks roles and responsibilities assigned to users.
* **User Information**: Provides detailed information about user accounts and profiles.
* **Domain Management Information**: Logs of domains defined under Google Workspace.

***