Send Google Workspace data to Chronicle

You can use Chronicle to detect insider risks in Google Workspace by configuring your Google Workspace account to forward data to a Chronicle instance.

Only Google Workspace Activities (WORKSPACE_ACTIVITY) logs can be ingested to your Chronicle instance. However, Chronicle does allow ingestion of other kinds of Google Workspace data (such as WORKSPACE_USERS and WORKSPACE_GROUPS) using other ingestion methods (for example, Feed Management). For more information, see Configure a feed in Chronicle to ingest Google Workspace logs.

You must have Google Workspace Enterprise Standard or Enterprise Plus edition to access this integration. If you don't, you can use the feed ingestion method to ingest Google Workspace Activity logs.

Chronicle ingests Google Workspace logs from the following Google applications:

  • Access Transparency
  • Accounts
  • Google Admin console
  • Google Calendar
  • Google Chat
  • Google Chrome
  • Classroom
  • Google Cloud
  • Access Context Manager
  • Looker Studio
  • Device
  • Google Drive
  • Gmail
  • Google Groups
  • Jamboard management
  • LDAP
  • Login
  • Google Meet
  • OAuth
  • Password Vault
  • Firewall Rules Logging
  • SAML
  • User accounts
  • Voice

Before you begin

Complete the following steps before you begin:

  1. If you don't have a Chronicle instance, create a new one. For more information, see Onboarding and migrating a Chronicle instance.

  2. Copy your Google Workspace Customer ID from the Google Workspace Admin console.

Obtain your Chronicle instance ID and token

To obtain your Chronicle instance ID and token, complete the following steps from your Chronicle account:

  1. Open your Chronicle instance.
  2. From the navigation bar, select Settings.
  3. Click Google Workspace.
  4. Enter your Google Workspace Customer ID.
  5. Click Generate Token.
  6. Copy the token and your Chronicle instance ID (located on the same page).

To send your Google Workspace data to your Chronicle instance, complete the following steps from the Google Workspace Admin console:

  1. Open the Google Workspace Admin console.
  2. Click Reporting.
  3. Click Data Integrations.
  4. Select Chronicle export, and then click Connect to Chronicle. This opens the Connect to Chronicle page.
  5. Paste the token copied from your Chronicle account into the indicated field. Click Connect. Export audit data to Chronicle should now display On. Your Google Workspace account is now linked to your Chronicle instance and will begin sending your Google Workspace data.
  6. Click Go to Chronicle to open your Chronicle instance and begin to monitor your Google Workspace data from Chronicle. For more information, see the Data Ingestion and Health dashboard.

Disconnect Google Workspace from Chronicle

To disconnect your Google Workspace account from your Chronicle instance, complete the following steps:

  1. Open the Google Workspace Admin console.
  2. Click Data Integrations.
  3. In the Chronicle export panel, click Disconnect from Chronicle. Export audit data to Chronicle should now display Off.

What's next

The next step is to enable the Cloud Threats category rules sets designed to help identify threats using Google Workspace data.