Download topic as PDF
Source types for the Splunk Add-on for Google Workspace
| Source type | Description | CIM data models |
|---|---|---|
gws:gmail
|
Gmail headers. | |
gws:reports:admin
|
Admin events based on application name. | Change, |
gws:reports:calendar
|
Calendar events based on application name. | Change |
gws:reports:context_aware_access
|
Context-aware access events based on application name. | Data Access |
gws:reports:drive
|
Drive events based on application name. | Change, |
gws:reports:gcp
|
Google Cloud Platform events based on application name. | Change |
gws:reports:groups_enterprise
|
Enterprise groups events based on application name. | Change |
gws:reports:login
|
Login events based on application name. | Alerts, Authentication, Change |
gws:reports:oauthtoken
|
Token events based on application name. | Authentication, Change |
gws:reports:saml
|
Security Assertion Markup Language (SAML) events based on application name. | Authentication |
gws:users:identity
|
Identities, users, and user accounts. |
Google Workspace has two inputs available. The first input is "Activity report", and the second input is "Gmail Logs". Each of the inputs require a different configuration of the service account used to authenticate with Google Workspace API. It is recommended to use two separate service accounts to configure each of the inputs because of the different permissions required for the service account to work.
For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.
|
PREVIOUS Splunk Add-on for Google Workspace |
NEXT Release notes for the Splunk Add-on for Google Workspace |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!