Google Workspace
Overview
This documentation outlines the configuration process for transferring Google Workspace audit logs to AlphaSOC for analysis. Through this integration, the Admin Activity and Data Access logs can be used for security monitoring and threat detection.
To enable log data transfers:
- Enable Google Workspace logging in your GCP environment.
- Export logs to Google Cloud Storage (GCS).
- Transfer data from GCS to AlphaSOC. For details, refer to Configuring GCS for submitting data.
Prerequisites
- Super administrator account in Google Cloud Platform (GCP).
- Google Cloud Storage (GCS) bucket.
Enable Google Workspace Logging
AlphaSOC collects Admin Activity and Data Access logs from Google Workspace.
- Sign in to Google Admin console.
- Navigate to Account > Account settings > Legal and compliance.
- Click Sharing options and select Enabled.
- Save your changes.
Exporting Logs to GCS via Sink
This part requires an existing GCS bucket. Please ensure you have created a storage bucket in GCS before proceeding with the sink configuration.
- In the GCP Console, navigate to the Logging > Logs Router.
- Click Create Sink.
- Enter a sink name.
- Select Cloud Storage bucket as the sink service and your GCS bucket as the sink destination.
- Under Choose logs to include in sink, select Include logs ingested by this organization and all child resources and add the following inclusion filters to capture Google Workspace logs:
LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/data_access")
- Click Create Sink to finalize.
Configure Data Transport
Configure AlphaSOC to ingest data from your Google Cloud Storage bucket. See Configuring GCS for submitting data.
Already collecting Google Workspace logs in a different storage solution? See Collecting Data for alternative transport methods, or contact AlphaSOC support.