Source types for the Splunk Add-on for Google Workspace¶
Source type | Description | CIM data models |
---|---|---|
gws:gmail |
Gmail headers. | |
gws:alerts |
Google Workspace alerts. | Alerts |
gws:reports:admin |
Admin events based on application name. | Change, Data Access, Email |
gws:reports:calendar |
Calendar events based on application name. | Change |
gws:reports:context_aware_access |
Context-aware access events based on application name. | Data Access |
gws:reports:drive |
Drive events based on application name. | Change, Data Access |
gws:reports:gcp |
Google Cloud Platform events based on application name. | Change |
gws:reports:groups_enterprise |
Enterprise groups events based on application name. | Change |
gws:reports:login |
Login events based on application name. | Alerts, Authentication, Change |
gws:reports:token |
Token events based on application name. | Authentication, Change |
gws:reports:rules |
Rules events based on application name. | |
gws:reports:saml |
Security Assertion Markup Language (SAML) events based on application name. | Authentication |
gws:users:identity |
Identities, users, and user accounts. | |
gws:reports:chat |
Chat events based on application name | Data Access |
gws:reports:mobile |
Device events based on application name | Alerts, Authentication, Change, Endpoint, Updates |
gws:reports:chrome |
Chrome/Chrome OS events based on application name | Alerts, Authentication, Change, Data Access |
Google Workspace has several inputs available. Each of the inputs require a different configuration of the service account used to authenticate with Google Workspace API. Splunk best practice is to use separate service accounts to configure each of the inputs because of the different permissions required for the service account to work.
For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.