Skip to content

Google Workspace

Cyderes can ingest your Google Workspace logs via GCS Bucket. Best practice would be to create two sinks, one for alerts and one for activities. Use the linked workspace log filters to populate the sink inclusion filters based on alerts or activities.

Chronicle Data Types

  • WORKSPACE_ACTIVITY
  • WORKSPACE_ALERTS

Configuration

  1. Create a new GCS bucket for the Workspace logs to be stored in. A pre-existing GCS bucket may be used. GCP Guide.

  2. In GCP, Workspace logs are not enabled by default. Follow this Workspace Log Sharing Guide to enable them.

  3. In GCP, Create a Log Sink and build the Inclusion Filter.

  4. Once Workspace logging is working and confirmed to be flowing into the GCS bucket, follow the GCP GCS Bucket guide to configure the GCS bucket so that Cyderes that can access the logs.

Workspace Activities

Alternatively, you have the option to forward data from your Google Workspace to Chronicle, provided you are using a Google Workspace Enterprise Standard or Enterprise Plus edition. For detailed instructions on utilizing Chronicle's seamless integration with Google Workspace, please consult this guide.

Note

This method only supports ingestion of Google Workspace Activities.