Export log events to Google Security Operations to monitor insider risk

Supported editions for this feature: Enterprise Standard and Enterprise Plus. Compare your edition

You can export your Google Workspace log events to Google Security Operations (Google SecOps), a security analytics platform that helps your organization detect, investigate, and respond to security threats. To export log events to Google SecOps, you need to use the Google Admin console to connect Google Workspace to Google SecOps. 

Once you connect to Google SecOps, your log events are continuously exported to Google SecOps, where you can manage insider risk. To manage risk, you use rules that generate detections and alerts that help you identify risky user behaviors and anomalies related to data access and exfiltration. Learn more about Google SecOps.

After you export log events

After your data is exported to Google SecOps, you can sign in to your Google SecOps account to:

• Search for any element in your log events, such as usernames, IP addresses, and sign-in events.
• View all the alerts and Indicators of Compromise (IOCs) currently impacting your organization. 
• Analyze any of the alerts.

Before you begin

• Make sure you have a Google SecOps account. If you need an account, contact a Google Cloud sales specialist.
• You need super administrator privileges to connect Google Workspace to Google SecOps.

Connect to Google SecOps to export log events

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. In the Admin console, go to Menu  ReportingData integrations.

   Education administrators go to Menu ReportingBigQuery export, which opens the Data integrations page.

3. Go to Google Security Operations export, and click Edit .
4. Follow the steps to:
   1. Copy the Customer ID from your organization's Profile page.
   2. Go to Google Security Operations and click SettingsGoogle Workspace. Enter your Google Workspace customer ID and click Generate Token.
   3. Copy the Token and your Google Security Operations instance ID. (Your instance ID is the same as your customer ID.)
   4. Return to the Connect to Google Security Operations page in the Admin console, and enter the Token and Instance ID.
5. Click Connect.

It can take up to 24 hours before data is exported to Google SecOps. After that, your organization's log events are continuously exported to Google SecOps. 

If you see a message that a connection couldn't be established, first check if the Google SecOps token and instance ID are correct. If they are, try connecting to Google SecOps again after a few minutes. If you still can't connect, contact Google Workspace support.

Disconnect from Google SecOps

If you no longer want to export log events to Google SecOps, you can disconnect your organization's Google Workspace account from Google SecOps. 

Note: When you disconnect from Google SecOps, your log events are not automatically deleted from Google SecOps. Use Google SecOps to delete the log events.

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. In the Admin console, go to Menu  ReportingData integrations.

   Education administrators go to Menu ReportingBigQuery export, which opens the Data integrations page.

3. Go to Google Security Operations export and click Disconnect from Google Security Operations.

FAQ

Expand section  |  Collapse all