Splunk® Supported Add-ons

Splunk Add-on for Google Workspace

Source types for the Splunk Add-on for Google Workspace

Source type Description CIM data models
gws:gmail Gmail headers. Email
gws:alerts Google Workspace alerts. Alerts
gws:reports:admin Admin events based on application name. Change,

Data Access, Email

gws:reports:calendar Calendar events based on application name. Change
gws:reports:context_aware_access Context-aware access events based on application name. Data Access
gws:reports:drive Drive events based on application name. Change,

Data Access

gws:reports:gcp Google Cloud Platform events based on application name. Change
gws:reports:groups_enterprise Enterprise groups events based on application name. Change
gws:reports:login Login events based on application name. Alerts, Authentication, Change
gws:reports:oauthtoken Token events based on application name. Authentication, Change
gws:reports:rules Rules events based on application name.
gws:reports:saml Security Assertion Markup Language (SAML) events based on application name. Authentication
gws:users:identity Identities, users, and user accounts.

Google Workspace has several inputs available. Each of the inputs require a different configuration of the service account used to authenticate with Google Workspace API. Splunk best practice is to use separate service accounts to configure each of the inputs because of the different permissions required for the service account to work.

For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.

Last modified on 12 April, 2024
Splunk Add-on for Google Workspace   Release notes for the Splunk Add-on for Google Workspace

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters