Source types for the Splunk Add-on for Google Workspace
Source type | Description | CIM data models |
---|---|---|
gws:gmail
|
Gmail headers. | |
gws:alerts
|
Google Workspace alerts. | Alerts |
gws:reports:admin
|
Admin events based on application name. | Change, |
gws:reports:calendar
|
Calendar events based on application name. | Change |
gws:reports:context_aware_access
|
Context-aware access events based on application name. | Data Access |
gws:reports:drive
|
Drive events based on application name. | Change, |
gws:reports:gcp
|
Google Cloud Platform events based on application name. | Change |
gws:reports:groups_enterprise
|
Enterprise groups events based on application name. | Change |
gws:reports:login
|
Login events based on application name. | Alerts, Authentication, Change |
gws:reports:oauthtoken
|
Token events based on application name. | Authentication, Change |
gws:reports:rules
|
Rules events based on application name. | |
gws:reports:saml
|
Security Assertion Markup Language (SAML) events based on application name. | Authentication |
gws:users:identity
|
Identities, users, and user accounts. |
Google Workspace has several inputs available. Each of the inputs require a different configuration of the service account used to authenticate with Google Workspace API. Splunk best practice is to use separate service accounts to configure each of the inputs because of the different permissions required for the service account to work.
For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.
PREVIOUS Splunk Add-on for Google Workspace |
NEXT Release notes for the Splunk Add-on for Google Workspace |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!