Source types for the Splunk Add-on for Google Workspace

Source type	Description	CIM data models
gws:gmail	Gmail headers.	Email
gws:alerts	Google Workspace alerts.	Alerts
gws:reports:admin	Admin events based on application name.	Change, Data Access, Email
gws:reports:calendar	Calendar events based on application name.	Change
gws:reports:context_aware_access	Context-aware access events based on application name.	Data Access
gws:reports:drive	Drive events based on application name.	Change, Data Access
gws:reports:gcp	Google Cloud Platform events based on application name.	Change
gws:reports:groups_enterprise	Enterprise groups events based on application name.	Change
gws:reports:login	Login events based on application name.	Alerts, Authentication, Change
gws:reports:token	Token events based on application name.	Authentication, Change
gws:reports:rules	Rules events based on application name.
gws:reports:saml	Security Assertion Markup Language (SAML) events based on application name.	Authentication
gws:users:identity	Identities, users, and user accounts.
gws:reports:chat	Chat events based on application name	Data Access
gws:reports:mobile	Device events based on application name	Alerts, Authentication, Change, Endpoint, Updates
gws:reports:chrome	Chrome/Chrome OS events based on application name	Alerts, Authentication, Change, Data Access

Google Workspace has several inputs available. Each of the inputs require a different configuration of the service account used to authenticate with Google Workspace API. Splunk best practice is to use separate service accounts to configure each of the inputs because of the different permissions required for the service account to work.

For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.