Release history for the Splunk Add-on for Google Workspace
The latest version of the Splunk Add-on for Google Workspace is version 2.8.1. See Release notes for the Splunk Add-on for Google Workspace for release notes of this latest version.
Version 2.8.0
Version 2.8.0 of the Splunk Add-on for Google Workspace was released on July 26, 2024.
About this release
Version 2.8.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 9.3, 9.2, 9.1 |
CIM | 5.x |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.8.0 of the Splunk Add-on for Google Workspace has the following new features.
- Added 3 new source types:
gws:reports:chat
gws:reports:mobile
gws:reports:chrome
Fixed issues
Version 2.8.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Known issues
Version 2.8.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 2.8.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.7.0
Version 2.7.0 of the Splunk Add-on for Google Workspace was released on April 7, 2024.
About this release
Version 2.7.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.7.0 of the Splunk Add-on for Google Workspace has the following new features.
- Added feature to change view type in User Identity List input
- Added feature to use custom tables in Gmail Logs Migrated input
Fixed issues
Version 2.7.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Known issues
Version 2.7.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 2.7.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.6.3
Version 2.6.3 of the Splunk Add-on for Google Workspace was released on February 7, 2024.
About this release
Version 2.6.3 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.6.3 of the Splunk Add-on for Google Workspace has the following new features.
- Fixed Big Query used in Gmail Logs input that results to excessive data scanning
Fixed issues
Version 2.6.3 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Date resolved | Issue number | Description |
---|---|---|
2024-02-05 | ADDON-64975 | Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning |
Known issues
Version 2.6.3 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Third-party software attributions
Version 2.6.3 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.6.2
Version 2.6.2 of the Splunk Add-on for Google Workspace was released on January 22, 2024.
About this release
Version 2.6.2 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.6.2 of the Splunk Add-on for Google Workspace has the following new features.
- Fixed a security vulnerability found in the urllib3 by upgrading its version from 1.26.14 to 1.26.18.
Fixed issues
Version 2.6.2 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Known issues
Version 2.6.2 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Date filed | Issue number | Description |
---|---|---|
2023-09-12 | ADDON-64975 | Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning |
Third-party software attributions
Version 2.6.2 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.6.0
Version 2.6.0 of the Splunk Add-on for Google Workspace was released on TBD.
About this release
Version 2.6.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.6.0 of the Splunk Add-on for Google Workspace has the following new features.
- Checkpoints for "Activity report" modular inputs are being migrated to KVStore. This is an automatic update during the modular input run after you update to the v2.6.0 of the add-on. If you were experiencing issues with "Activity report" modular input in Splunk Cloud, please remove all your inputs, update the add-on and recreate the inputs.
- "Activity report" modular input was redesigned to support more data ingestion.
- New "Advanced Settings" configuration tab to provide control over speed of data collection. Current functionality has parameter for "Activity report interval size". By default, the add-on creates 5 threads to collect the data. This is sufficient for most of use cases as it can bring around 120,000 events per minute through one configured modular input.
Do not configure more modular inputs with the same "Application Name" and the same "Service Account to use" as it will result in duplicated data.
- To see how many events (per 20 seconds) the particular modular input is bringing in you can run this search:
``` index=_internal source=*<modular-input-name>* "Total split events ingested" ```
- To see the average amount of events (per 20 seconds) the particular modular input is bringing in you can run this search:
``` index=_internal source=*<modular-input-name>* "Total split events ingested" | rex field=_raw "Total split events ingested: (?<n_events>.*)$" | stats avg(n_events) ```
- If the number is less than 40000, you can use the default advanced configuration.
- If you notice a delay in your data collection, you can change "Activity report interval size" to 2, save the changes and in your next run of the modular input, there will be 10 threads to collect the data, increasing the speed of the data collection even further. Note: changing the interval size to a smaller number requires more resources.
Fixed issues
Version 2.6.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Date resolved | Issue number | Description |
---|---|---|
2023-07-31 | ADDON-61198 | GWS Activity report: not currently supporting clustering environment |
Known issues
Version 2.6.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Date filed | Issue number | Description |
---|---|---|
2023-09-12 | ADDON-64975 | Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning |
Third-party software attributions
Version 2.6.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.5.1
Version 2.5.1 of the Splunk Add-on for Google Workspace was released on April 28, 2023.
About this release
Version 2.5.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.5.1 of the Splunk Add-on for Google Workspace has the following new features.
- Introduces support for application name "rules" for "Activity report" modular input
- Fixes issues found for "Alert Center" modular input.
- Optimizes some parts of the data collection for "Activity report" modular input.
Fixed issues
Version 2.5.1 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Date resolved | Issue number | Description |
---|---|---|
2023-05-04 | ADDON-61892 | GWS Alert Center: 'Gmail Phishing' source inputs not working as expected |
Known issues
Version 2.5.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Date filed | Issue number | Description |
---|---|---|
2023-03-06 | ADDON-61198 | GWS Activity report: not currently supporting clustering environment |
Third-party software attributions
Version 2.5.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.5.0
Version 2.5.0 of the Splunk Add-on for Google Workspace was released on April 3, 2023.
About this release
Version 2.5.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.5.0 of the Splunk Add-on for Google Workspace has the following new features.
- Introduced Alert Center, a modular input for collecting data from Google Workspace. It is recommended to use a different service account to use with this modular input as it needs a different scope.
- Both Gmail Logs and Gmail Logs Migrated got an update regarding the checkpointing strategy and should fix an issue where the data ingestion was delayed because of the frequent checkpoint saving.
Fixed issues
Version 2.5.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.
Known issues
Version 2.5.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.
Date filed | Issue number | Description |
---|---|---|
2023-04-19 | ADDON-61892 | GWS Alert Center: 'Gmail Phishing' source inputs not working as expected |
2023-03-06 | ADDON-61198 | GWS Activity report: not currently supporting clustering environment |
Third-party software attributions
Version 2.5.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.4.1
Version 2.4.1 of the Splunk Add-on for Google Workspace was released on December 9, 2022.
About this release
Version 2.4.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.
- Added multiple domain support for Google Workspace data ingestion.
- Added support for the Asset and Identity framework in Splunk Enterprise Security.
- Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
- UI label and help text feature enhancements.
- The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
- Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
- The query for Gmail Logs input was improved to reduce the cost for running each query.
Fixed issues
Version 2.4.1 of the Splunk Add-on for Google Workspace fixes the following issues:
Known issues
Version 2.4.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2023-03-06 | ADDON-61198 | GWS Activity report: not currently supporting clustering environment |
Third-party software attributions
Version 2.4.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.4.0
Version 2.4.0 of the Splunk Add-on for Google Workspace was released on October 27, 2022.
About this release
Version 2.4.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, and 9.0.x |
CIM | 4.20, 5.0 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
- Added multiple domain support for Google Workspace data ingestion.
- Added support for the Asset and Identity framework in Splunk Enterprise Security.
- Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
- UI label and help text feature enhancements.
- The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
- Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
- The query for Gmail Logs input was improved to reduce the cost for running each query.
Fixed issues
Version 2.4.0 of the Splunk Add-on for Google Workspace fixes the following issues:
Known issues
Version 2.4.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 2.4.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.3.0
Version 2.3.0 of the Splunk Add-on for Google Workspace was released on August 23, 2022.
About this release
Version 2.3.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, and 9.0x |
CIM | 4.20 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
"Activity" input changes
- Improved the way non-UTF-8 characters are ingested into Splunk. Before this update, if your event had a non-UTF-8 character (for example, "こんにちは世界", which is "Hello World" in Japanese), it would show as a unicode string ("\u3053\u3093\u306b\u3061\u306f\u4e16\u754c") in the raw event. This can make it difficult to search for the same exact word using an SPL search. With version 2.3.0, the raw event contains string "こんにちは世界", which lets you now perform SPL searches.
- Interval for "Activity" input now has low and high boundaries, which are 20 seconds and 3600 seconds respectively. This limitation is only for the new inputs. Inputs created before the 2.3.0 version will continue to work as before.
- The "Activity report" input is now enhanced to improve reliability of the input, especially for big environments. This release completely redesigns how the data is gathered, including better error handling and ingestion, and will solve past issues that occur in bigger environments.
- The add-on now collects data for 20 second chunks, ingests that data to Splunk, and then moves the checkpoint. This approach allows us to be more reliable if network issues occur during data collection.
"Gmail Logs" input changes
- Proxy handling for "Gmail Logs" input is improved and additional environment variables are set before making requests to Google BigQuery API (HTTP_PROXY, https_proxy and http_proxy).
- "Dataset name" option was added to "Gmail Logs" input. This allows you to specify a custom BigQuery dataset name when you export Gmail logs to BigQuery. The default setting is
gmail_logs_dataset
. All "Gmail Logs" inputs created in previous releases will still work, but you should update the input's "dataset_name" field to the default one ("gmail_logs_dataset").
General changes
Proxy handling for both "Activity" and "Gmail Logs" was changed. Previously, when you enabled and configured a proxy in the "Configuration" tab, the Python code for the modular inputs would make HTTPS requests using https://<your-configured-proxy (specify username:password@ip:port>. With version 2.3.0, HTTP and HTTPS requests will go through http://<your-configured-proxy>. This change creates a similar proxy configuration to other Splunk-supported add-ons
Fixed issues
Version 2.3.0 of the Splunk Add-on for Google Workspace fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2023-03-21 | ADDON-50955 | Splunk Add-on for Google Workspace - 401 Client error |
Known issues
Version 2.3.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 2.3.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
Third-party software attributions for the Splunk Add-on for Google Workspace
Version 2.2.0
Version 2.2.0 of the Splunk Add-on for Google Workspace was released on June 1, 2022.
About this release
Version 2.2.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, 9.0x |
CIM | 4.20 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following new features.
- Added the following new sourcetypes and CIM mapping support to event names:
sourcetype: gws:reports:calendar
- event names:
- change_calendar_acls
- create_calendar
- delete_calendar
- create_event
- delete_event
- add_event_guest
- change_event
- restore_event
sourcetype: gws:reports:context_aware_access
- event names:
- ACCESS_DENY_EVENT
- Updated existing sourcetypes and added CIM mapping support to event names:
sourcetype: gws:reports:groups_enterprise
- event names:
- invite_member
sourcetype: gws:reports:admin
- event names:
- CREATE_CALENDAR_RESOURCE
- UPDATE_CALENDAR_RESOURCE
- CHANGE_FIRST_NAME
- CHANGE_LAST_NAME
- CHANGE_USER_LOCATION
- RESET_SIGNIN_COOKIES
- DELETE_GMAIL_SETTING
- DELETE_ROLE
- REMOVE_PRIVILEGE
- RENAME_ROLE
- UNASSIGN_ROLE
- DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
- ORG_LICENSE_REVOKE
- USER_LICENSE_ASSIGNMENT
Token expiration Fix
When an activity report is running for more than 1 hour, the add-on reported a 401 status code while trying to make another request to the Google Workspace API. One of the potential scenarios that could lead to this issue - an input that was enabled, then stopped for a while and then reenabled. This caused the activity report input to gather all the data for that period of time (from when the input stopped until reenabling). The amount of data the add-on was trying to pull was too large for the 1 hour (API token expiration time) given to collect all that data.
Proxy improvements
This release brings in an improvement regarding the proxy support.
Fixed issues
Version 2.2.0 of the Splunk Add-on for Google Workspace fixes the following issues:
Date filed | Issue number | Description |
---|---|---|
2022-05-16 | ADDON-50955 | The issue occurs on Splunk Add-On for Google Workspace. The logs are missing intermittent and the Customer could see "HTTPError: 401 Client Error: Unauthorized for url " |
Known issues
Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 2.2.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
File:Splunk Add-on for Google Workspace third-party software credits.pdf
Version 2.1.0
Version 2.1.0 of the Splunk Add-on for Google Workspace was released on March 14, 2022.
About this release
Version 2.1.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
CIM | 4.20 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.
- Added the following new sourcetypes:
gws:reports:groups_enterprise
Thegws:reports:groups_enterprise
sourcetype is designated for Enterprise Groups Audit activity events. For more information, see the Enterprise Groups Audit Activity Events topic in the Google Workspace Admin SDK manual.gws:reports:gcp
Thegws:reports:gcp
sourcetype is designated for Google Cloud Platform activity events. For more information, see the Google Cloud Platform Activity Events topic in the Google Workspace Admin SDK manual.
- Added CIM mapping support for the
gws:reports:groups_enterprise
sourcetype for the following event names:add_member
add_member_role
add_security_setting
add_service_account_permission
change_security_setting
create_group
delete_group
join
unban_member
- Added CIM mapping support for the
gws:reports:gcp
sourcetype for the following event names:GET_LOGIN_PROFILE
GET_SSH_PUBLIC_KEY
IMPORT_SSH_PUBLIC_KEY
UPDATE_SSH_PUBLIC_KEY
- Added CIM mapping support for the
gws:reports:login
sourcetype for the following event names:account_disabled_generic
account_disabled_hijacked
account_disabled_spamming
account_disabled_spamming_through_relay
email_forwarding_out_of_domain
gov_attack_warning
titanium_enroll
titanium_unenroll
- Added CIM mapping support for the
gws:reports:drive
sourcetype for the following event names:CHANGE_DOCS_SETTING
DRIVE_DATA_RESTORE
MOVE_SHARED_DRIVE_TO_ORG_UNIT
TRANSFER_DOCUMENT_OWNERSHIP
- Added CIM mapping support for the
gws:reports:admin
sourcetype for the following event names:ADD_PRIVILEGE
ADD_TO_BLOCKED_OAUTH2_APPS
ALLOW_SERVICE_FOR_OAUTH2_ACCESS
ASSIGN_ROLE
BLOCK_ALL_THIRD_PARTY_API_ACCESS
BLOCK_ON_DEVICE_ACCESS
CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
CHANGE_CAA_APP_ASSIGNMENTS
CHANGE_EMAIL_SETTING
CHANGE_GMAIL_SETTING
CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
CHANGE_TWO_STEP_VERIFICATION_START_DATE
CREATE_GMAIL_SETTING
CREATE_ROLE
DROP_FROM_QUARANTINE
EMAIL_UNDELETE
ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
ENFORCE_STRONG_AUTHENTICATION
REJECT_FROM_QUARANTINE
RELEASE_FROM_QUARANTINE
REMOVE_FROM_BLOCKED_OAUTH2_APPS
REMOVE_FROM_TRUSTED_OAUTH2_APPS
SESSION_CONTROL_SETTINGS_CHANGE
TRUST_DOMAIN_OWNED_OAUTH2_APPS
UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
UNBLOCK_ON_DEVICE_ACCESS
UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
UPDATE_ROLE
WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
- The
lookbackOffset
parameter for activity-related events minimal and default values were also revisited. The minimum value is 5 minutes, and the default value is 30 minutes. - The bug with
gws:reports:token
sourcetype events was fixed, so now respected events have proper CIM-mapping support.
Fixed issues
This is the first release of the Splunk Add-on for Google Workspace.
Version 2.1.0 of the Splunk Add-on for Google Workspace fixes the following issues:
Known issues
Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Date filed | Issue number | Description |
---|---|---|
2022-04-22 | ADDON-50955 | Splunk Add-on for Google Workspace - 401 Client error |
Third-party software attributions
Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
File:Third-party software attributions for the Splunk Add-on for Google Workspace2.1.0.pdf
Version 2.0.0
Version 2.0.0 of the Splunk Add-on for Google Workspace was released on February 2, 2022.
About this release
Version 2.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
CIM | 4.20 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
New features
Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.
- HTTPS proxy support for collecting activity report and Gmail headers information
This version of the Splunk Add-on for Google Workspace introduces a new configuration tab containing HTTPS proxy configurations that, when enabled, are used to proxy all requests to Google APIs. - Split some events into multiple events
Some Google Workspace Reports API events contain multiple subevents. For example, moving a file to a folder in Google Drive generates one event, which has four subevents (create
,change_user_access
,change_acl_editors
andadd_to_folder
). This causes potential issues with CIM mapping support for these events.
This version of the Splunk Add-on for Google Workspace introduces a change to split four subevents to four separate events ingested into your Splunk platform deployment. Each of the four new related events have the sameetag
field.
For example, if a system revokes Google Workspace licenses for two users, the event in previous versions of the Splunk Add-on for Google Workspace will look like the following:{ "kind":"admin#reports#activity", "id":{ "time":"2021-06-28T18:25:42.247Z", "uniqueQualifier":"123", "applicationName":"admin", "customerId":"some-customerId" }, "etag":"some-etag", "actor":{ "callerType":"KEY", "key":"SYSTEM" }, "events":[ { "type":"LICENSES_SETTINGS", "name":"USER_LICENSE_REVOKE", "parameters":[ { "name":"USER_EMAIL", "value":"user1@example.com" }, { "name":"PRODUCT_NAME", "value":"Google Workspace" }, { "name":"OLD_VALUE", "value":"Google Workspace Enterprise Plus" } ] }, { "type":"LICENSES_SETTINGS", "name":"USER_LICENSE_REVOKE", "parameters":[ { "name":"USER_EMAIL", "value":"user2@example.com" }, { "name":"PRODUCT_NAME", "value":"Google Workspace" }, { "name":"OLD_VALUE", "value":"Google Workspace Enterprise Plus" } ] } ] }
This release of the Splunk Add-on for Google Workspace splits this single event into two separate events and ingests them in the following format into your Splunk platform deployment:
Event 1:
{ "kind":"admin#reports#activity", "id":{ "time":"2021-06-28T18:25:42.247Z", "uniqueQualifier":"123", "applicationName":"admin", "customerId":"some-customerId" }, "etag":"some-etag", "actor":{ "callerType":"KEY", "key":"SYSTEM" }, "event": { { "type":"LICENSES_SETTINGS", "name":"USER_LICENSE_REVOKE", "parameters":[ { "name":"USER_EMAIL", "value":"user1@example.com" }, { "name":"PRODUCT_NAME", "value":"Google Workspace" }, { "name":"OLD_VALUE", "value":"Google Workspace Enterprise Plus" } ] } } }
Event #2:
{ "kind":"admin#reports#activity", "id":{ "time":"2021-06-28T18:25:42.247Z", "uniqueQualifier":"123", "applicationName":"admin", "customerId":"some-customerId" }, "etag":"some-etag", "actor":{ "callerType":"KEY", "key":"SYSTEM" }, "event": { { "type":"LICENSES_SETTINGS", "name":"USER_LICENSE_REVOKE", "parameters":[ { "name":"USER_EMAIL", "value":"user2@example.com" }, { "name":"PRODUCT_NAME", "value":"Google Workspace" }, { "name":"OLD_VALUE", "value":"Google Workspace Enterprise Plus" } ] } } }
If you want to identify a specific event, and other events occur at the same time, you can search for theetag
field, which can show you all the related events.
- Support for collecting Gmail headers information
This release includes support for Gmail headers ingestion into your Splunk platform deployment. This feature is supported for the following types of Google Workspace editions: Enterprise, Education Standard, and Plus.
For more information, see the Prepare to use Gmail logs in BigQuery topic in the Google Workspace Admin documentation. - Extend CIM mapping support for all sourcetypes
This release includes CIM mapping support for the following event names:
gws:reports:saml
sourcetype. For more information, see the SAML Audit Activity Events topic in the Workspace Admin SDK documentation.- login_failure
- login_success
gws:reports:login
sourcetype. For more information, see the Login Audit Activity Events topic in the Workspace Admin SDK documentation.- 2sv_disable
- 2sv_enroll
- account_disabled_password_leak
- login_failure
- login_success
- logout
- password_edit
- recovery_email_edit
- recovery_phone_edit
- recovery_secret_qa_edit
- suspicious_login
- suspicious_login_less_secure_app
- suspicious_programmatic_login
gws:reports:oauthtoken
sourcetype. For more information, see the OAuth Token Audit Activity Events topic in the Workspace Admin SDK documentation.- authorize
- revoke
gws:reports:drive
sourcetype. For more information, see the Drive Audit Activity Events topic in the Workspace Admin SDK documentation.- add_to_folder
- change_document_access_scope
- change_document_access_scope_hierarchy_reconciled
- change_document_visibility
- change_document_visibility_hierarchy_reconciled
- change_user_access
- change_user_access_hierarchy_reconciled
- copy
- create
- delete
- download
- edit
- email_as_attachment
- move
- publish_change
- remove_from_folder
- rename
- shared_drive_membership_change
- sheets_import_range
- trash
- untrash
- upload
- view
gws:reports:admin
sourcetype. For more information, see the Reports API: Admin Activity Report Event Names topic in the Workspace Admin SDK documentation.- ADD_RECOVERY_EMAIL
- ADD_RECOVERY_PHONE
- ARCHIVE_USER
- AUTHORIZE_API_CLIENT_ACCESS
- CHANGE_PASSWORD
- CHANGE_PASSWORD_ON_NEXT_LOGIN
- CHANGE_RECOVERY_EMAIL
- CHANGE_RECOVERY_PHONE
- CREATE_EMAIL_MONITOR
- CREATE_USER
- DELETE_EMAIL_MONITOR
- DELETE_USER
- ENABLE_USER_IP_WHITELIST
- GENERATE_2SV_SCRATCH_CODES
- GMAIL_RESET_USER
- GRANT_ADMIN_PRIVILEGE
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- MAIL_ROUTING_DESTINATION_ADDED
- MAIL_ROUTING_DESTINATION_REMOVED
- MOVE_USER_TO_ORG_UNIT
- REMOVE_RECOVERY_EMAIL
- REMOVE_RECOVERY_PHONE
- RENAME_USER
- REVOKE_ADMIN_PRIVILEGE
- SECURITY_KEY_REGISTERED_FOR_USER
- SUSPEND_USER
- TURN_OFF_2_STEP_VERIFICATION
- UNARCHIVE_USER
- UNBLOCK_USER_SESSION
- UNDELETE_USER
- UNENROLL_USER_FROM_STRONG_AUTH
- UNENROLL_USER_FROM_TITANIUM
- UNSUSPEND_USER
- USER_LICENSE_REVOKE
- USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD
Common Information Model mapping changes
The following table displays the changes to the Common Information Model (CIM) mapping for this add-on:
Sourcetype | Event name | Changes |
---|---|---|
gws:reports:login
|
login_success
|
Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method Added |
gws:reports:login
|
login_failure
|
Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method Added |
gws:reports:login
|
logout
|
Added dest_name field equal to Google WorkspaceRemoved |
gws:reports:oauthtoken
|
token_authorize
|
Added dest_url field equal to dest field
|
gws:reports:oauthtoken
|
token_revoke
|
Field action was changed to modified from logoff Added |
gws:reports:admin
|
USER_LICENSE_REVOKE
|
Field object_attrs is now equal to USER_LICENSE
|
gws:reports:admin
|
AUTHORIZE_API_CLIENT_ACCESS
|
Added dest_url field equal to dest fieldField |
gws:reports:admin
|
DELETE_USER
|
Field object_attrs is now equal to USER_SETTINGS Added |
gws:reports:admin
|
SUSPEND_USER
|
Added dest_name field equal to dest Added |
gws:reports:admin
|
CHANGE_MOBILE_SETTING
|
Field dest is now taken from ORG_UNIT_NAME fieldAdded |
gws:reports:admin
|
CREATE_USER
|
Added dest_name field equal to dest Field |
gws:reports:admin
|
ADD_TO_TRUSTED_OAUTH2_APPS
|
Field action was changed from modified to created Field |
Fixed issues
This is the first release of the Splunk Add-on for Google Workspace.
Version 2.0.0 of the Splunk Add-on for Google Workspace fixes the following issues:
Known issues
Version 2.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
File:Third-party software attributions for the Splunk Add-on for Google Workspace2.0.0.pdf
Version 1.0.0
Version 1.0.0 of the Splunk Add-on for Google Workspace was released on September 1, 2021.
About this release
Version 1.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
CIM | 4.18 |
Platforms | Platform independent |
Vendor Products | Google Workspace Enterprise Plus |
Fixed issues
This is the first release of the Splunk Add-on for Google Workspace.
Known issues
Version 1.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:
Third-party software attributions
Version 1.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:
File:Third-party software attributions for the Splunk Add-on for Google Workspace.pdf
Installation overview for the Splunk Add-on for Google Workspace | Install the Splunk Add-on for Google Workspace |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!