Google Workspace

Overview

Google Workspace audit logs provide detailed records of user activities, such as logins, file sharing, and administrative actions. These logs help you understand how Google Workspace applications are being used, track changes, and monitor for suspicious behavior, enabling you to maintain a secure and efficient workspace.

Send audit logs from Google Workspace applications to Coralogix to enhance visibility into performance and usage patterns. By utilizing the Google Workspace integration, you can proactively resolve issues and optimize your Google Workspace environment, ensuring improved reliability, security, and efficiency.

Prerequisites

• Super admin permissions in Google Cloud
• An existing project within your Google Cloud

Required permissions

Users with the following permissions may view and/or manage integrations.

Find out more about roles and permissions here.

Setup

STEP 1. Configure a Service Account and API Key to facilitate automated intermediation.

STEP 2. Set up Domain Wide Delegation, to authorize your Service Account to read user data and send it to Coralogix. The OAuth Scope permissions required are as follows:

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/admin.reports.audit.readonly

STEP 3. Navigate to API & Services > Library screen. Select Admin SDK API and ensure it’s enabled.

STEP 4. From your Coralogix toolbar, navigate to Data Flow > Integrations. Select Google Workspace Users.

STEP 5. Click + ADD NEW.

STEP 6. If you haven’t already done so in STEP 1, click GO TO GCP ACCOUNT and create a key file. Then, click NEXT.

STEP 7. Click SELECT FILE and upload the key file you previously created.

STEP 8. A confirmation will appear when the file is uploaded successfully. Click NEXT.

STEP 9. Fill in the settings:

• Integration name: Enter a name for your integration. This field is automatically populated, but can be changed if you want.
• Application name: Enter the “Application Name”.
• Subsystem name: The “Subsystem Name” will default to “Google Workspace” but may be modified.
• Applications: Select the Google Workspace applications from the dropdown menu for which you would like to send audit logs to Coralogix.
• Impersonated email: Enter a valid email address of a super admin user to be impersonated.

STEP 10. Click COMPLETE to finish the setup. It will take several minutes for the integration to take effect and for user data to be available.

Monitoring Google Workspace logs

Explore these use cases for effectively monitoring Google Workspace logs in the Coralogix platform.

View all user activities in Google Workspace

To view all activities performed by the user “john@bank.com” in Google Drive over the last 7 days, select the Application Name and Subsystem Name for Google Workspace integration. In the Explore Screen, apply the following query within the last 7-day timeframe:

<ActorEmail:"john@bank.com>" AND ApplicationName:"drive”

Alert on suspicious activity

To detect if a user downloads an unusual amount of files from Google Drive, set an alert for when a user downloads more than 5 files within 10 minutes. Configure a standard alert with the following query:

ApplicationName:"drive” AND Event.Name:”download”

Set the threshold to at least 5 logs in 10 minutes and group by ActorEmail.

View most active Google Workspace applications

To see statistics about the usage of your Google Workspace applications, create a horizontal bar chart widget in Custom Dashboards. Set the widget group-by parameter to Application.Name to display the top applications in Google Workspace.

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to contact us via our in-app chat or by emailing support@coralogix.com.