Google Workspace Activity

In the Scanner UI, go to the Collect tab.

Click Create New Source.
Click Select a Source Type.
Choose Google Workspace.
Choose the specific Activity log type (the instructions below apply to all log types).

You’ll be prompted to choose an Ingest Method:

Click Next.

Set a Display Name, such as my-google-workspace-activity-logs.

Click Next.

If you’ve previously created an Google Workspace connection, select it from the list.
Otherwise, select New Google Workspace Connection and fill in the required fields:
- Connection Name: Give the connection a recognizable name.
- Service Account Subject Email: e.g. [email protected]
- Service Account Key JSON

To create the service account and the service account key JSON:

Follow these instructions
Domain-wide delegation must be enabled for the service account
The Admin SDK API must be enabled on the Google Cloud project
The service account subject email is the email of the user who created the service account. It is NOT the service account email ending in @my-project.iam.gserviceaccount.com. The service account impersonates this user when polling from the API.
The service account must have the following authorization scopes: https://www.googleapis.com/auth/admin.reports.audit.readonly https://www.googleapis.com/auth/admin.reports.usage.readonly

Click Next.

Click Next.

Click Next.

Leave the default setting: Extract timestamp from field id.time.

This field is included in every Google Workspace activity log and reflects when the event occurred.

Click Next.

Once created:

Scanner will poll the Google Workspace Admin SDK API every 5 minutes.
New events will be written to your S3 bucket, under the specified key prefix.
Logs will then be indexed for search and detections using your selected Scanner index.

Last updated 1 day ago

Was this helpful?