Export log events to Google Security Operations to monitor insider risk

Supported editions for this feature: Enterprise Standard and Enterprise Plus. Compare your edition

You can export your Google Workspace log events to Google Security Operations (Google SecOps), a security analytics platform that helps your organization detect, investigate, and respond to security threats. To export log events to Google SecOps, you need to use the Google Admin console to connect Google Workspace to Google SecOps. 

Once you connect to Google SecOps, your log events are continuously exported to Google SecOps, where you can manage insider risk. To manage risk, you use rules that generate detections and alerts that help you identify risky user behaviors and anomalies related to data access and exfiltration. Learn more about Google SecOps.

After you export log events

After your data is exported to Google SecOps, you can sign in to your Google SecOps account to:

  • Search for any element in your log events, such as usernames, IP addresses, and sign-in events.
  • View all the alerts and Indicators of Compromise (IOCs) currently impacting your organization. 
  • Analyze any of the alerts.

Before you begin

  • Make sure you have a Google SecOps account. If you need an account, contact a Google Cloud sales specialist.
  • You need super administrator privileges to connect Google Workspace to Google SecOps.

Connect to Google SecOps to export log events

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenData integrations.

    Education administrators go to Menu and thenReportingand thenBigQuery export, which opens the Data integrations page.

  3. Go to Google Security Operations export, and click Edit .
  4. Follow the steps to:
    1. Copy the Customer ID from your organization's Profile page.
    2. Go to Google Security Operations and click Settingsand thenGoogle Workspace. Enter your Google Workspace customer ID and click Generate Token.
    3. Copy the Token and your Google Security Operations instance ID. (Your instance ID is the same as your customer ID.)
    4. Return to the Connect to Google Security Operations page in the Admin console, and enter the Token and Instance ID.
  5. Click Connect.

It can take up to 24 hours before data is exported to Google SecOps. After that, your organization's log events are continuously exported to Google SecOps. 

If you see a message that a connection couldn't be established, first check if the Google SecOps token and instance ID are correct. If they are, try connecting to Google SecOps again after a few minutes. If you still can't connect, contact Google Workspace support.

Disconnect from Google SecOps

If you no longer want to export log events to Google SecOps, you can disconnect your organization's Google Workspace account from Google SecOps. 

Note: When you disconnect from Google SecOps, your log events are not automatically deleted from Google SecOps. Use Google SecOps to delete the log events.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Reportingand thenData integrations.

    Education administrators go to Menu and thenReportingand thenBigQuery export, which opens the Data integrations page.

  3. Go to Google Security Operations export and click Disconnect from Google Security Operations.

FAQ

Expand section  |  Collapse all

Which log events are exported to Google SecOps?

The following is the key log event data that's supported:

  • Admins
  • Chrome
  • Classroom
  • Cloud Search
  • Data export (admin)
  • Data Studio
  • Devices
  • Gmail
  • Google Calendar
  • Google Chat
  • Google Drive
  • Google Groups
  • Google Groups for Business
  • Google Keep
  • Google Meet
  • Google Takeout
  • Google Voice
  • Jamboard management
  • Login
  • OAuth
  • Rules
  • SAML
  • Users
Can I select which log events to export to Google SecOps?
No, all supported log events are exported to Google SecOps.
When can I use log event data after it's logged in the Admin console?
Once log event data is created, it's streamed to Google SecOps.
Note: For information about how long it can take before data is available for log events, see Data retention and lag times.
Are log events that were created before I connected to Google SecOps also exported?
No, only log events that were created in the Admin console after you connect to Google SecOps are exported.
Are exported log events converted to a different format in Google SecOps?
Yes, Google SecOps converts all exported log events to Unified Data Format (UDM), which lets Google SecOps run complex queries and rules against your data.
Which rules can I use in Google SecOps to perform risk management?
Google SecOps provides prebuilt rules, called Google SecOps Rule Sets, that you can turn on individually to detect threats to your organization. These rules generate detections, some of which might be alerts, with risk scores. The Google Workspace Rule Sets in Google SecOps help you investigate insider risk and data exfiltration. Learn more about Rule Sets.
Is there a cost to export log event data to Google SecOps?
If you use the export feature, standard Google SecOps terms and pricing apply. For details, contact your sales representative.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu