Send Google Workspace data to Google SecOps

Supported in:

You can use Google Security Operations to detect insider risks in your Google Workspace by configuring your Google Workspace account to forward data to your Google SecOps instance.

This document describes how to use direct ingestion to ingest Google Workspace Activity logs (WORKSPACE_ACTIVITY) into your Google SecOps instance from the following supported Google application types:

  • Access Transparency
  • Accounts
  • Google Admin console
  • Google Calendar
  • Google Chat
  • Google Chrome
  • Classroom
  • Google Cloud
  • Access Context Manager
  • Looker Studio
  • Device
  • Google Drive
  • Gmail
  • Google Groups
  • Jamboard management
  • LDAP
  • Login
  • Google Meet
  • OAuth
  • Password Vault
  • Firewall Rules Logging
  • SAML
  • User accounts
  • Voice

You must have Google Workspace Enterprise Standard or Enterprise Plus edition to access this integration. If you don't, you can use the feed ingestion method to ingest Google Workspace Activity logs.

Before you begin

Complete the following steps before you begin:

  1. If you don't have a Google SecOps instance, create a new one. For more information, see Onboarding and migrating a Google SecOps instance.

  2. Copy your Google Workspace Customer ID from the Google Workspace Admin console.

Obtain your Google SecOps instance ID and token

To obtain your Google SecOps instance ID and token, complete the following steps from your Google SecOps account:

  1. Open your Google SecOps instance.
  2. From the navigation bar, select Settings.
  3. Click Google Workspace.
  4. Enter your Google Workspace Customer ID.
  5. Click Generate Token.
  6. Copy the token and your Google SecOps instance ID (located on the same page).

To send your Google Workspace data to your Google SecOps instance, complete the following steps from the Google Workspace Admin console:

  1. Open the Google Workspace Admin console.
  2. Click Reporting.
  3. Click Data Integrations.
  4. Select Google SecOps export, and then click Connect to Google SecOps. This opens the Connect to Google SecOps page.
  5. Paste the token copied from your Google SecOps account into the indicated field. Click Connect. Export audit data to Google SecOps should now display On. Your Google Workspace account is now linked to your Google SecOps instance and will begin sending your Google Workspace data.
  6. Click Go to Google SecOps to open your Google SecOps instance and begin to monitor your Google Workspace data from Google SecOps. For more information, see the Data Ingestion and Health dashboard.

Disconnect Google Workspace from Google SecOps

To disconnect your Google Workspace account from your Google SecOps instance, complete the following steps:

  1. Open the Google Workspace Admin console.
  2. Click Data Integrations.
  3. In the Google SecOps export panel, click Disconnect from Google SecOps. Export audit data to Google SecOps should now display Off.

What's next

The next step is to enable the Cloud Threats category rules sets designed to help identify threats using Google Workspace data.

Need more help? Get answers from Community members and Google SecOps professionals.