# Google Workspace Activity ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose **Google Workspace**. * Choose the specific **Activity** log type (the instructions below apply to all log types). Click Continue. ### Step 2: Configure the Source Set a Display Name, such as `my-google-workspace-activity-logs`. Click Next. ### Step 3: Authenticate with Google Workspace * If you’ve previously created an Google Workspace connection, select it from the list. * Otherwise, select **New Google Workspace Connection** and fill in the required fields: * Connection Name: Give the connection a recognizable name. * Service Account Subject Email: e.g. `johndoe@yourcompany.com` * Service Account Key JSON To create the service account and the service account key JSON: * [Follow these instructions](https://developers.google.com/workspace/guides/create-credentials#service-account) * **Domain-wide delegation** must be enabled for the service account * The [Admin SDK API](https://developers.google.com/workspace/guides/enable-apis#admin-sdk-api) must be enabled on the Google Cloud project * The service account subject email is the email of **the user who created the service account**. It is NOT the service account email ending in `@my-project.iam.gserviceaccount.com`. The service account impersonates this user when polling from the API. * The service account must have the following [authorization scopes](https://developers.google.com/workspace/guides/configure-oauth-consent):\ `https://www.googleapis.com/auth/admin.reports.audit.readonly`\ `https://www.googleapis.com/auth/admin.reports.usage.readonly` Click Next. ### Step 4: Configure the Destination * Choose the S3 Bucket where the raw Google Workspace logs should be stored. * (Optional) Enter a Key Prefix to organize the data path in your bucket. * Choose the Scanner Index where logs will be made searchable. * Leave the Source Label as `google_workspace:activities:`. Click Next. ### Step 5: Transform and Enrich * Keep the default `Unroll Array` and `Normalize to ECS` transformation steps. * (Optional) Add additional transformation or enrichment steps if needed. Click Next. ### Step 6: Timestamp Extraction Leave the default setting: Extract timestamp from field `id.time`. This field is included in every Google Workspace activity log and reflects when the event occurred. Click Next. ### Step 7: Review and Create * Review all configuration settings. * Click **Create Source**. ### What Happens Next Once created: * Scanner will poll the Google Workspace Admin SDK API every **5 minutes**. * New events will be written to your S3 bucket, under the specified key prefix. * Logs will then be indexed for search and detections using your selected Scanner index.