Release history for the Splunk Add-on for Google Workspace

The latest version of the Splunk Add-on for Google Workspace is version 2.7.0. See Release notes for the Splunk Add-on for Google Workspace for release notes of this latest version.

Version 2.6.3

Version 2.6.3 of the Splunk Add-on for Google Workspace was released on February 7, 2024.

About this release

Version 2.6.3 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.6.3 of the Splunk Add-on for Google Workspace has the following new features.

• Fixed Big Query used in Gmail Logs input that results to excessive data scanning

Fixed issues

Version 2.6.3 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved	Issue number	Description
2024-02-05	ADDON-64975	Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Known issues

Version 2.6.3 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions

Version 2.6.3 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.2

Version 2.6.2 of the Splunk Add-on for Google Workspace was released on January 22, 2024.

About this release

Version 2.6.2 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.6.2 of the Splunk Add-on for Google Workspace has the following new features.

• Fixed a security vulnerability found in the urllib3 by upgrading its version from 1.26.14 to 1.26.18.

Fixed issues

Version 2.6.2 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues

Version 2.6.2 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed	Issue number	Description
2023-09-12	ADDON-64975	Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Third-party software attributions

Version 2.6.2 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.0

Version 2.6.0 of the Splunk Add-on for Google Workspace was released on TBD.

About this release

Version 2.6.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.6.0 of the Splunk Add-on for Google Workspace has the following new features.

• Checkpoints for "Activity report" modular inputs are being migrated to KVStore. This is an automatic update during the modular input run after you update to the v2.6.0 of the add-on. If you were experiencing issues with "Activity report" modular input in Splunk Cloud, please remove all your inputs, update the add-on and recreate the inputs.
• "Activity report" modular input was redesigned to support more data ingestion.

• New "Advanced Settings" configuration tab to provide control over speed of data collection. Current functionality has parameter for "Activity report interval size". By default, the add-on creates 5 threads to collect the data. This is sufficient for most of use cases as it can bring around 120,000 events per minute through one configured modular input.

Do not configure more modular inputs with the same "Application Name" and the same "Service Account to use" as it will result in duplicated data.

• To see how many events (per 20 seconds) the particular modular input is bringing in you can run this search:

``` index=_internal source=*<modular-input-name>* "Total split events ingested" ```

• To see the average amount of events (per 20 seconds) the particular modular input is bringing in you can run this search:

``` index=_internal source=*<modular-input-name>* "Total split events ingested" | rex field=_raw "Total split events ingested: (?<n_events>.*)$" | stats avg(n_events) ```

• If the number is less than 40000, you can use the default advanced configuration.

• If you notice a delay in your data collection, you can change "Activity report interval size" to 2, save the changes and in your next run of the modular input, there will be 10 threads to collect the data, increasing the speed of the data collection even further. Note: changing the interval size to a smaller number requires more resources.

Fixed issues

Version 2.6.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved	Issue number	Description
2023-07-31	ADDON-61198	GWS Activity report: not currently supporting clustering environment

Known issues

Version 2.6.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed	Issue number	Description
2023-09-12	ADDON-64975	Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Third-party software attributions

Version 2.6.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.5.1

Version 2.5.1 of the Splunk Add-on for Google Workspace was released on April 28, 2023.

About this release

Version 2.5.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.5.1 of the Splunk Add-on for Google Workspace has the following new features.

• Introduces support for application name "rules" for "Activity report" modular input
• Fixes issues found for "Alert Center" modular input.
• Optimizes some parts of the data collection for "Activity report" modular input.

Fixed issues

Version 2.5.1 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved	Issue number	Description
2023-05-04	ADDON-61892	GWS Alert Center: 'Gmail Phishing' source inputs not working as expected

Known issues

Version 2.5.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed	Issue number	Description
2023-03-06	ADDON-61198	GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.5.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.5.0

Version 2.5.0 of the Splunk Add-on for Google Workspace was released on April 3, 2023.

About this release

Version 2.5.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.5.0 of the Splunk Add-on for Google Workspace has the following new features.

• Introduced Alert Center, a modular input for collecting data from Google Workspace. It is recommended to use a different service account to use with this modular input as it needs a different scope.
• Both Gmail Logs and Gmail Logs Migrated got an update regarding the checkpointing strategy and should fix an issue where the data ingestion was delayed because of the frequent checkpoint saving.

Fixed issues

Version 2.5.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues

Version 2.5.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed	Issue number	Description
2023-04-19	ADDON-61892	GWS Alert Center: 'Gmail Phishing' source inputs not working as expected
2023-03-06	ADDON-61198	GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.5.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.1

Version 2.4.1 of the Splunk Add-on for Google Workspace was released on December 9, 2022.

About this release

Version 2.4.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

• Added multiple domain support for Google Workspace data ingestion.
• Added support for the Asset and Identity framework in Splunk Enterprise Security.
• Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
• UI label and help text feature enhancements.
• The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
• Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
• The query for Gmail Logs input was improved to reduce the cost for running each query.

Fixed issues

Version 2.4.1 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues

Version 2.4.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Date filed	Issue number	Description
2023-03-06	ADDON-61198	GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.4.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.0

Version 2.4.0 of the Splunk Add-on for Google Workspace was released on October 27, 2022.

About this release

Version 2.4.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, and 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

• Added multiple domain support for Google Workspace data ingestion.
• Added support for the Asset and Identity framework in Splunk Enterprise Security.
• Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
• UI label and help text feature enhancements.
• The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
• Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
• The query for Gmail Logs input was improved to reduce the cost for running each query.

Fixed issues

Version 2.4.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues

Version 2.4.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.4.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.3.0

Version 2.3.0 of the Splunk Add-on for Google Workspace was released on August 23, 2022.

About this release

Version 2.3.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, and 9.0x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

"Activity" input changes

• Improved the way non-UTF-8 characters are ingested into Splunk. Before this update, if your event had a non-UTF-8 character (for example, "こんにちは世界", which is "Hello World" in Japanese), it would show as a unicode string ("\u3053\u3093\u306b\u3061\u306f\u4e16\u754c") in the raw event. This can make it difficult to search for the same exact word using an SPL search. With version 2.3.0, the raw event contains string "こんにちは世界", which lets you now perform SPL searches.

• Interval for "Activity" input now has low and high boundaries, which are 20 seconds and 3600 seconds respectively. This limitation is only for the new inputs. Inputs created before the 2.3.0 version will continue to work as before.

• The "Activity report" input is now enhanced to improve reliability of the input, especially for big environments. This release completely redesigns how the data is gathered, including better error handling and ingestion, and will solve past issues that occur in bigger environments.

• The add-on now collects data for 20 second chunks, ingests that data to Splunk, and then moves the checkpoint. This approach allows us to be more reliable if network issues occur during data collection.

"Gmail Logs" input changes

• Proxy handling for "Gmail Logs" input is improved and additional environment variables are set before making requests to Google BigQuery API (HTTP_PROXY, https_proxy and http_proxy).

• "Dataset name" option was added to "Gmail Logs" input. This allows you to specify a custom BigQuery dataset name when you export Gmail logs to BigQuery. The default setting is gmail_logs_dataset. All "Gmail Logs" inputs created in previous releases will still work, but you should update the input's "dataset_name" field to the default one ("gmail_logs_dataset").

General changes

Proxy handling for both "Activity" and "Gmail Logs" was changed. Previously, when you enabled and configured a proxy in the "Configuration" tab, the Python code for the modular inputs would make HTTPS requests using https://<your-configured-proxy (specify username:password@ip:port>. With version 2.3.0, HTTP and HTTPS requests will go through http://<your-configured-proxy>. This change creates a similar proxy configuration to other Splunk-supported add-ons

Fixed issues

Version 2.3.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Date resolved	Issue number	Description
2023-03-21	ADDON-50955	Splunk Add-on for Google Workspace - 401 Client error

Known issues

Version 2.3.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.3.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Google Workspace was released on June 1, 2022.

About this release

Version 2.2.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following new features.

• Added the following new sourcetypes and CIM mapping support to event names:

sourcetype: gws:reports:calendar

• event names:
  • change_calendar_acls
  • create_calendar
  • delete_calendar
  • create_event
  • delete_event
  • add_event_guest
  • change_event
  • restore_event

sourcetype: gws:reports:context_aware_access

• event names:
  • ACCESS_DENY_EVENT

• Updated existing sourcetypes and added CIM mapping support to event names:

sourcetype: gws:reports:groups_enterprise

• event names:
  • invite_member

sourcetype: gws:reports:admin

• event names:
  • CREATE_CALENDAR_RESOURCE
  • UPDATE_CALENDAR_RESOURCE
  • CHANGE_FIRST_NAME
  • CHANGE_LAST_NAME
  • CHANGE_USER_LOCATION
  • RESET_SIGNIN_COOKIES
  • DELETE_GMAIL_SETTING
  • DELETE_ROLE
  • REMOVE_PRIVILEGE
  • RENAME_ROLE
  • UNASSIGN_ROLE
  • DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
  • ORG_LICENSE_REVOKE
  • USER_LICENSE_ASSIGNMENT

Token expiration Fix
When an activity report is running for more than 1 hour, the add-on reported a 401 status code while trying to make another request to the Google Workspace API. One of the potential scenarios that could lead to this issue - an input that was enabled, then stopped for a while and then reenabled. This caused the activity report input to gather all the data for that period of time (from when the input stopped until reenabling). The amount of data the add-on was trying to pull was too large for the 1 hour (API token expiration time) given to collect all that data.

Proxy improvements
This release brings in an improvement regarding the proxy support.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Date filed	Issue number	Description
2022-05-16	ADDON-50955	The issue occurs on Splunk Add-On for Google Workspace. The logs are missing intermittent and the Customer could see "HTTPError: 401 Client Error: Unauthorized for url "

Known issues

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Splunk Add-on for Google Workspace third-party software credits.pdf

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Google Workspace was released on March 14, 2022.

About this release

Version 2.1.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.

• Added the following new sourcetypes:
  • gws:reports:groups_enterprise
    
    The gws:reports:groups_enterprise sourcetype is designated for Enterprise Groups Audit activity events. For more information, see the Enterprise Groups Audit Activity Events topic in the Google Workspace Admin SDK manual.

  
  

  • gws:reports:gcp
    
    The gws:reports:gcp sourcetype is designated for Google Cloud Platform activity events. For more information, see the Google Cloud Platform Activity Events topic in the Google Workspace Admin SDK manual.




• Added CIM mapping support for the gws:reports:groups_enterprise sourcetype for the following event names:
  • add_member
  • add_member_role
  • add_security_setting
  • add_service_account_permission
  • change_security_setting
  • create_group
  • delete_group
  • join
  • unban_member
• Added CIM mapping support for the gws:reports:gcp sourcetype for the following event names:
  • GET_LOGIN_PROFILE
  • GET_SSH_PUBLIC_KEY
  • IMPORT_SSH_PUBLIC_KEY
  • UPDATE_SSH_PUBLIC_KEY
• Added CIM mapping support for the gws:reports:login sourcetype for the following event names:
  • account_disabled_generic
  • account_disabled_hijacked
  • account_disabled_spamming
  • account_disabled_spamming_through_relay
  • email_forwarding_out_of_domain
  • gov_attack_warning
  • titanium_enroll
  • titanium_unenroll
• Added CIM mapping support for the gws:reports:drive sourcetype for the following event names:
  • CHANGE_DOCS_SETTING
  • DRIVE_DATA_RESTORE
  • MOVE_SHARED_DRIVE_TO_ORG_UNIT
  • TRANSFER_DOCUMENT_OWNERSHIP
• Added CIM mapping support for the gws:reports:admin sourcetype for the following event names:
  • ADD_PRIVILEGE
  • ADD_TO_BLOCKED_OAUTH2_APPS
  • ALLOW_SERVICE_FOR_OAUTH2_ACCESS
  • ASSIGN_ROLE
  • BLOCK_ALL_THIRD_PARTY_API_ACCESS
  • BLOCK_ON_DEVICE_ACCESS
  • CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
  • CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
  • CHANGE_CAA_APP_ASSIGNMENTS
  • CHANGE_EMAIL_SETTING
  • CHANGE_GMAIL_SETTING
  • CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
  • CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
  • CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
  • CHANGE_TWO_STEP_VERIFICATION_START_DATE
  • CREATE_GMAIL_SETTING
  • CREATE_ROLE
  • DROP_FROM_QUARANTINE
  • EMAIL_UNDELETE
  • ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
  • ENFORCE_STRONG_AUTHENTICATION
  • REJECT_FROM_QUARANTINE
  • RELEASE_FROM_QUARANTINE
  • REMOVE_FROM_BLOCKED_OAUTH2_APPS
  • REMOVE_FROM_TRUSTED_OAUTH2_APPS
  • SESSION_CONTROL_SETTINGS_CHANGE
  • TRUST_DOMAIN_OWNED_OAUTH2_APPS
  • UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
  • UNBLOCK_ON_DEVICE_ACCESS
  • UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
  • UPDATE_ROLE
  • WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
• The lookbackOffset parameter for activity-related events minimal and default values were also revisited. The minimum value is 5 minutes, and the default value is 30 minutes.
• The bug with gws:reports:token sourcetype events was fixed, so now respected events have proper CIM-mapping support.

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Version 2.1.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Date filed	Issue number	Description
2022-04-22	ADDON-50955	Splunk Add-on for Google Workspace - 401 Client error

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace2.1.0.pdf

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Google Workspace was released on February 2, 2022.

About this release

Version 2.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.

• HTTPS proxy support for collecting activity report and Gmail headers information
  This version of the Splunk Add-on for Google Workspace introduces a new configuration tab containing HTTPS proxy configurations that, when enabled, are used to proxy all requests to Google APIs.
• Split some events into multiple events
  Some Google Workspace Reports API events contain multiple subevents. For example, moving a file to a folder in Google Drive generates one event, which has four subevents (create, change_user_access, change_acl_editors and add_to_folder). This causes potential issues with CIM mapping support for these events.
  This version of the Splunk Add-on for Google Workspace introduces a change to split four subevents to four separate events ingested into your Splunk platform deployment. Each of the four new related events have the same etag field.
  For example, if a system revokes Google Workspace licenses for two users, the event in previous versions of the Splunk Add-on for Google Workspace will look like the following:

  {
    "kind":"admin#reports#activity",
    "id":{
      "time":"2021-06-28T18:25:42.247Z",
      "uniqueQualifier":"123",
      "applicationName":"admin",
      "customerId":"some-customerId"
    },
    "etag":"some-etag",
    "actor":{
      "callerType":"KEY",
      "key":"SYSTEM"
    },
    "events":[
      {
        "type":"LICENSES_SETTINGS",
        "name":"USER_LICENSE_REVOKE",
        "parameters":[
          {
            "name":"USER_EMAIL",
            "value":"user1@example.com"
          },
          {
            "name":"PRODUCT_NAME",
            "value":"Google Workspace"
          },
          {
            "name":"OLD_VALUE",
            "value":"Google Workspace Enterprise Plus"
          }
        ]
      },
      {
        "type":"LICENSES_SETTINGS",
        "name":"USER_LICENSE_REVOKE",
        "parameters":[
          {
            "name":"USER_EMAIL",
            "value":"user2@example.com"
          },
          {
            "name":"PRODUCT_NAME",
            "value":"Google Workspace"
          },
          {
            "name":"OLD_VALUE",
            "value":"Google Workspace Enterprise Plus"
          }
        ]
      }
    ]
  }
  

  This release of the Splunk Add-on for Google Workspace splits this single event into two separate events and ingests them in the following format into your Splunk platform deployment:
  
  Event 1:
  

  
  {
    "kind":"admin#reports#activity",
    "id":{
      "time":"2021-06-28T18:25:42.247Z",
      "uniqueQualifier":"123",
      "applicationName":"admin",
      "customerId":"some-customerId"
    },
    "etag":"some-etag",
    "actor":{
      "callerType":"KEY",
      "key":"SYSTEM"
    },
    "event": {
      {
        "type":"LICENSES_SETTINGS",
        "name":"USER_LICENSE_REVOKE",
        "parameters":[
          {
            "name":"USER_EMAIL",
            "value":"user1@example.com"
          },
          {
            "name":"PRODUCT_NAME",
            "value":"Google Workspace"
          },
          {
            "name":"OLD_VALUE",
            "value":"Google Workspace Enterprise Plus"
          }
        ]
      }
    }
  }
  

  
  Event #2:
  

  {
    "kind":"admin#reports#activity",
    "id":{
      "time":"2021-06-28T18:25:42.247Z",
      "uniqueQualifier":"123",
      "applicationName":"admin",
      "customerId":"some-customerId"
    },
    "etag":"some-etag",
    "actor":{
      "callerType":"KEY",
      "key":"SYSTEM"
    },
    "event": {
      {
        "type":"LICENSES_SETTINGS",
        "name":"USER_LICENSE_REVOKE",
        "parameters":[
          {
            "name":"USER_EMAIL",
            "value":"user2@example.com"
          },
          {
            "name":"PRODUCT_NAME",
            "value":"Google Workspace"
          },
          {
            "name":"OLD_VALUE",
            "value":"Google Workspace Enterprise Plus"
          }
        ]
      }
    }
  }
  

  
  If you want to identify a specific event, and other events occur at the same time, you can search for the etag field, which can show you all the related events.
  

• Support for collecting Gmail headers information
  This release includes support for Gmail headers ingestion into your Splunk platform deployment. This feature is supported for the following types of Google Workspace editions: Enterprise, Education Standard, and Plus.
  For more information, see the Prepare to use Gmail logs in BigQuery topic in the Google Workspace Admin documentation.
• Extend CIM mapping support for all sourcetypes
  This release includes CIM mapping support for the following event names:
  
  1. gws:reports:saml sourcetype. For more information, see the SAML Audit Activity Events topic in the Workspace Admin SDK documentation.
     1. login_failure
     2. login_success
  2. gws:reports:login sourcetype. For more information, see the Login Audit Activity Events topic in the Workspace Admin SDK documentation.
     1. 2sv_disable
     2. 2sv_enroll
     3. account_disabled_password_leak
     4. login_failure
     5. login_success
     6. logout
     7. password_edit
     8. recovery_email_edit
     9. recovery_phone_edit
     10. recovery_secret_qa_edit
     11. suspicious_login
     12. suspicious_login_less_secure_app
     13. suspicious_programmatic_login
  3. gws:reports:oauthtoken sourcetype. For more information, see the OAuth Token Audit Activity Events topic in the Workspace Admin SDK documentation.
     1. authorize
     2. revoke
  4. gws:reports:drive sourcetype. For more information, see the Drive Audit Activity Events topic in the Workspace Admin SDK documentation.
     1. add_to_folder
     2. change_document_access_scope
     3. change_document_access_scope_hierarchy_reconciled
     4. change_document_visibility
     5. change_document_visibility_hierarchy_reconciled
     6. change_user_access
     7. change_user_access_hierarchy_reconciled
     8. copy
     9. create
     10. delete
     11. download
     12. edit
     13. email_as_attachment
     14. move
     15. print
     16. publish_change
     17. remove_from_folder
     18. rename
     19. shared_drive_membership_change
     20. sheets_import_range
     21. trash
     22. untrash
     23. upload
     24. view
  5. gws:reports:admin sourcetype. For more information, see the Reports API: Admin Activity Report Event Names topic in the Workspace Admin SDK documentation.
     1. ADD_RECOVERY_EMAIL
     2. ADD_RECOVERY_PHONE
     3. ARCHIVE_USER
     4. AUTHORIZE_API_CLIENT_ACCESS
     5. CHANGE_PASSWORD
     6. CHANGE_PASSWORD_ON_NEXT_LOGIN
     7. CHANGE_RECOVERY_EMAIL
     8. CHANGE_RECOVERY_PHONE
     9. CREATE_EMAIL_MONITOR
     10. CREATE_USER
     11. DELETE_EMAIL_MONITOR
     12. DELETE_USER
     13. ENABLE_USER_IP_WHITELIST
     14. GENERATE_2SV_SCRATCH_CODES
     15. GMAIL_RESET_USER
     16. GRANT_ADMIN_PRIVILEGE
     17. GRANT_DELEGATED_ADMIN_PRIVILEGES
     18. MAIL_ROUTING_DESTINATION_ADDED
     19. MAIL_ROUTING_DESTINATION_REMOVED
     20. MOVE_USER_TO_ORG_UNIT
     21. REMOVE_RECOVERY_EMAIL
     22. REMOVE_RECOVERY_PHONE
     23. RENAME_USER
     24. REVOKE_ADMIN_PRIVILEGE
     25. SECURITY_KEY_REGISTERED_FOR_USER
     26. SUSPEND_USER
     27. TURN_OFF_2_STEP_VERIFICATION
     28. UNARCHIVE_USER
     29. UNBLOCK_USER_SESSION
     30. UNDELETE_USER
     31. UNENROLL_USER_FROM_STRONG_AUTH
     32. UNENROLL_USER_FROM_TITANIUM
     33. UNSUSPEND_USER
     34. USER_LICENSE_REVOKE
     35. USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD

Common Information Model mapping changes

The following table displays the changes to the Common Information Model (CIM) mapping for this add-on:

Sourcetype	Event name	Changes
gws:reports:login	login_success	Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method Added dest_name field equal to Google Workspace Added vendor_product field equal to Google Workspace
gws:reports:login	login_failure	Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method Added dest_name field equal to Google Workspace Added vendor_product field equal to Google Workspace
gws:reports:login	logout	Added dest_name field equal to Google Workspace Removed src_ip field mapping Added src_user_id field mapping Added src_user_name field mapping
gws:reports:oauthtoken	token_authorize	Added dest_url field equal to dest field
gws:reports:oauthtoken	token_revoke	Field action was changed to modified from logoff Added app field mapping Added dest_url field equal to dest field Field object is now taken from cliend_id field Field object_id is now taken from cliend_id field Field result is equal to revoke Field result_id is equal to revoke Added src_user_id field Field user is now taken from client_id field Field user_id is now taken from client_id field Field user_name is now taken from client_id field
gws:reports:admin	USER_LICENSE_REVOKE	Field object_attrs is now equal to USER_LICENSE
gws:reports:admin	AUTHORIZE_API_CLIENT_ACCESS	Added dest_url field equal to dest field Field object_attrs is now equal to API_CLIENT Added src_user_id field
gws:reports:admin	DELETE_USER	Field object_attrs is now equal to USER_SETTINGS Added src_user_id field
gws:reports:admin	SUSPEND_USER	Added dest_name field equal to dest Added src_user_id field
gws:reports:admin	CHANGE_MOBILE_SETTING	Field dest is now taken from ORG_UNIT_NAME field Added dest_name field equal to dest Field object_attrs is now equal to NEW_VALUE field
gws:reports:admin	CREATE_USER	Added dest_name field equal to dest Field object_attrs is now equal to USER_SETTINGS Added src_user_id field
gws:reports:admin	ADD_TO_TRUSTED_OAUTH2_APPS	Field action was changed from modified to created Field object_attrs is now equal to SECURITY_SETTINGS

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Version 2.0.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues

Version 2.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace2.0.0.pdf

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Google Workspace was released on September 1, 2021.

About this release

Version 1.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.18
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Known issues

Version 1.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace.pdf