Send Google Workspace data to Google Security Operations

You can use Google Security Operations to detect insider risks in Google Workspace by configuring your Google Workspace account to forward data to a Google Security Operations instance.

Only Google Workspace Activities (WORKSPACE_ACTIVITY) logs can be ingested to your Google Security Operations instance. However, Google Security Operations does allow ingestion of other kinds of Google Workspace data (such as WORKSPACE_USERS and WORKSPACE_GROUPS) using other ingestion methods (for example, Feed Management). For more information, see Configure a feed in Google Security Operations to ingest Google Workspace logs.

You must have Google Workspace Enterprise Standard or Enterprise Plus edition to access this integration. If you don't, you can use the feed ingestion method to ingest Google Workspace Activity logs.

Google Security Operations ingests Google Workspace logs from the following Google applications:

  • Access Transparency
  • Accounts
  • Google Admin console
  • Google Calendar
  • Google Chat
  • Google Chrome
  • Classroom
  • Google Cloud
  • Access Context Manager
  • Looker Studio
  • Device
  • Google Drive
  • Gmail
  • Google Groups
  • Jamboard management
  • LDAP
  • Login
  • Google Meet
  • OAuth
  • Password Vault
  • Firewall Rules Logging
  • SAML
  • User accounts
  • Voice

Before you begin

Complete the following steps before you begin:

  1. If you don't have a Google Security Operations instance, create a new one. For more information, see Onboarding and migrating a Google Security Operations instance.

  2. Copy your Google Workspace Customer ID from the Google Workspace Admin console.

Obtain your Google Security Operations instance ID and token

To obtain your Google Security Operations instance ID and token, complete the following steps from your Google Security Operations account:

  1. Open your Google Security Operations instance.
  2. From the navigation bar, select Settings.
  3. Click Google Workspace.
  4. Enter your Google Workspace Customer ID.
  5. Click Generate Token.
  6. Copy the token and your Google Security Operations instance ID (located on the same page).

To send your Google Workspace data to your Google Security Operations instance, complete the following steps from the Google Workspace Admin console:

  1. Open the Google Workspace Admin console.
  2. Click Reporting.
  3. Click Data Integrations.
  4. Select Chronicle export, and then click Connect to Chronicle. This opens the Connect to Chronicle page.
  5. Paste the token copied from your Google Security Operations account into the indicated field. Click Connect. Export audit data to Google Security Operations should now display On. Your Google Workspace account is now linked to your Google Security Operations instance and will begin sending your Google Workspace data.
  6. Click Go to Chronicle to open your Google Security Operations instance and begin to monitor your Google Workspace data from Google Security Operations. For more information, see the Data Ingestion and Health dashboard.

Disconnect Google Workspace from Google Security Operations

To disconnect your Google Workspace account from your Google Security Operations instance, complete the following steps:

  1. Open the Google Workspace Admin console.
  2. Click Data Integrations.
  3. In the Chronicle export panel, click Disconnect from Chronicle. Export audit data to Chronicle should now display Off.

What's next

The next step is to enable the Cloud Threats category rules sets designed to help identify threats using Google Workspace data.