You can use Google Security Operations to detect insider
risks in your Google Workspace by configuring your Google Workspace account
to forward data to your Google SecOps instance.
This document describes how to use direct ingestion to ingest Google Workspace Activity
logs (WORKSPACE_ACTIVITY) into your Google SecOps instance
from the following supported Google application types:
Copy your Google Workspace Customer ID from the Google Workspace Admin
console.
Obtain your Google SecOps instance ID and token
To obtain your Google SecOps instance ID and token, complete the following
steps from your Google SecOps account:
Open your Google SecOps instance.
From the navigation bar, select Settings.
Click Google Workspace.
Enter your Google Workspace Customer ID.
Click Generate Token.
Copy the token and your Google SecOps instance ID (located on the same
page).
Link Google Workspace to your Google SecOps instance
To send your Google Workspace data to your Google SecOps instance,
complete the following steps from the Google Workspace Admin console:
Open the Google Workspace Admin console.
Click Reporting.
Click Data Integrations.
Select Google SecOps export, and then click Connect to
Google SecOps. This opens the Connect to Google SecOps page.
Paste the token copied from your Google SecOps account into the
indicated field. Click Connect. Export audit data to Google SecOps
should now display On. Your Google Workspace account is now linked to
your Google SecOps instance and will begin sending your
Google Workspace data.
Click Go to Google SecOps to open your Google SecOps instance
and begin to monitor your Google Workspace data from Google SecOps. For more
information, see the Data Ingestion and Health dashboard.
Disconnect Google Workspace from Google SecOps
To disconnect your Google Workspace account from your Google SecOps
instance, complete the following steps:
Open the Google Workspace Admin console.
Click Data Integrations.
In the Google SecOps export panel, click Disconnect from Google SecOps.
Export audit data to Google SecOps should now display Off.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["Send Google Workspace data to Google SecOps \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nYou can use Google Security Operations to detect insider\nrisks in your Google Workspace by configuring your Google Workspace account\nto forward data to your Google SecOps instance.\n\nThis document describes how to use *direct ingestion* to ingest Google Workspace Activity\nlogs (`WORKSPACE_ACTIVITY`) into your Google SecOps instance\nfrom the following supported Google application types:\n\n- Access Transparency\n- Accounts\n- Google Admin console\n- Google Calendar\n- Google Chat\n- Google Chrome\n- Classroom\n- Google Cloud\n- Access Context Manager\n- Looker Studio\n- Device\n- Google Drive\n- Gmail\n- Google Groups\n- Jamboard management\n- LDAP\n- Login\n- Google Meet\n- OAuth\n- Password Vault\n- Firewall Rules Logging\n- SAML\n- User accounts\n- Voice\n\n| **Note:** *Direct ingestion* collects a wider range of workspace data compared to [*other feed methods*](/chronicle/docs/administration/feed-management). For example, other feed methods cannot ingest `gmail` application logs. \n| However, you can still use these *other feed methods* to ingest subsets of Google Workspace data, for example, to ingest `WORKSPACE_USERS` and `WORKSPACE_GROUPS` into your Google SecOps instance. For more information, see [Configure a feed in Google SecOps to ingest\n| Google Workspace logs](/chronicle/docs/ingestion/default-parsers/collect-workspace-logs#configure_a_feed_in_to_ingest_logs).\n\nBefore you begin\n\nComplete the following steps before you begin:\n\n1. If you don't have a Google SecOps instance, create a new one. For more\n information, see [Onboarding and migrating a Google SecOps\n instance](/chronicle/docs/onboard).\n\n2. Copy your Google Workspace Customer ID from the Google Workspace Admin\n console.\n\nObtain your Google SecOps instance ID and token\n\nTo obtain your Google SecOps instance ID and token, complete the following\nsteps from your Google SecOps account:\n\n1. Open your Google SecOps instance.\n2. From the navigation bar, select **Settings**.\n3. Click **Google Workspace**.\n4. Enter your Google Workspace Customer ID.\n5. Click **Generate Token**.\n6. Copy the token and your Google SecOps instance ID (located on the same page).\n\nLink Google Workspace to your Google SecOps instance\n\nTo send your Google Workspace data to your Google SecOps instance,\ncomplete the following steps from the Google Workspace Admin console:\n\n1. Open the Google Workspace Admin console.\n2. Click **Reporting**.\n3. Click **Data Integrations**.\n4. Select **Google SecOps export** , and then click **Connect to\n Google SecOps** . This opens the **Connect to Google SecOps** page.\n5. Paste the token copied from your Google SecOps account into the indicated field. Click **Connect** . Export audit data to Google SecOps should now display *On*. Your Google Workspace account is now linked to your Google SecOps instance and will begin sending your Google Workspace data.\n6. Click **Go to Google SecOps** to open your Google SecOps instance and begin to monitor your Google Workspace data from Google SecOps. For more information, see the [Data Ingestion and Health dashboard](/chronicle/docs/investigation/dashboards-user-guide#data_ingestion_and_health).\n\nDisconnect Google Workspace from Google SecOps\n\nTo disconnect your Google Workspace account from your Google SecOps\ninstance, complete the following steps:\n\n1. Open the Google Workspace Admin console.\n2. Click **Data Integrations**.\n3. In the **Google SecOps export** panel, click **Disconnect from Google SecOps** . **Export audit data to Google SecOps** should now display *Off*.\n\nWhat's next\n\nThe next step is to enable the [Cloud Threats category rules\nsets](/chronicle/docs/detection/cloud-threats-category)\ndesigned to help identify threats using Google Workspace data.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
