Send Google Workspace data to Google Security Operations

Supported in:

You can use Google Security Operations to detect insider risks in your Google Workspace by configuring your Google Workspace account to forward data to your Google Security Operations instance.

This document describes how to use direct ingestion to ingest Google Workspace Activity logs (WORKSPACE_ACTIVITIES) into your Google Security Operations instance from the following supported Google application types:

  • Access Transparency
  • Accounts
  • Google Admin console
  • Google Calendar
  • Google Chat
  • Google Chrome
  • Classroom
  • Google Cloud
  • Access Context Manager
  • Looker Studio
  • Device
  • Google Drive
  • Gmail
  • Google Groups
  • Jamboard management
  • LDAP
  • Login
  • Google Meet
  • OAuth
  • Password Vault
  • Firewall Rules Logging
  • SAML
  • User accounts
  • Voice

You must have Google Workspace Enterprise Standard or Enterprise Plus edition to access this integration. If you don't, you can use the feed ingestion method to ingest Google Workspace Activity logs.

Before you begin

Complete the following steps before you begin:

  1. If you don't have a Google Security Operations instance, create a new one. For more information, see Onboarding and migrating a Google Security Operations instance.

  2. Copy your Google Workspace Customer ID from the Google Workspace Admin console.

Obtain your Google Security Operations instance ID and token

To obtain your Google Security Operations instance ID and token, complete the following steps from your Google Security Operations account:

  1. Open your Google Security Operations instance.
  2. From the navigation bar, select Settings.
  3. Click Google Workspace.
  4. Enter your Google Workspace Customer ID.
  5. Click Generate Token.
  6. Copy the token and your Google Security Operations instance ID (located on the same page).

To send your Google Workspace data to your Google Security Operations instance, complete the following steps from the Google Workspace Admin console:

  1. Open the Google Workspace Admin console.
  2. Click Reporting.
  3. Click Data Integrations.
  4. Select Google Security Operations export, and then click Connect to Google Security Operations. This opens the Connect to Google Security Operations page.
  5. Paste the token copied from your Google Security Operations account into the indicated field. Click Connect. Export audit data to Google Security Operations should now display On. Your Google Workspace account is now linked to your Google Security Operations instance and will begin sending your Google Workspace data.
  6. Click Go to Google Security Operations to open your Google Security Operations instance and begin to monitor your Google Workspace data from Google Security Operations. For more information, see the Data Ingestion and Health dashboard.

Disconnect Google Workspace from Google Security Operations

To disconnect your Google Workspace account from your Google Security Operations instance, complete the following steps:

  1. Open the Google Workspace Admin console.
  2. Click Data Integrations.
  3. In the Google Security Operations export panel, click Disconnect from Google Security Operations. Export audit data to Google Security Operations should now display Off.

What's next

The next step is to enable the Cloud Threats category rules sets designed to help identify threats using Google Workspace data.