Overview
Import your Google Workspace security logs in Datadog. Upon enabling this integration, Datadog automatically starts pulling in logs for the following Google Workspace services:
| Service | Description |
|---|
| Access Transparency | The Google Workspace Access Transparency activity reports return information about different types of Access Transparency activity events. |
| Admin | The Admin console application’s activity reports return account information about different types of administrator activity events. |
| Calendar | The Google Calendar application’s activity reports return information about various Calendar activity events. |
| Chrome | The Chrome activity report returns information about the ChromeOS activity of all of your account’s users. Each report uses the basic endpoint request and provides report-specific parameters such as logins, adding or removing users, or unsafe browsing events. |
| Context-Aware Access | The context-aware access activity report returns information about denials of application access to your account’s users. It uses the basic report endpoint request and provides specific parameters such as device ID and the application to which access was denied. |
| Drive | The Google Drive application’s activity reports return information about various Google Drive activity events. The Drive activity report is only available for Google Workspace Business customers. |
| Google Chat | The Chat activity report returns information about how your account’s users use and manage Spaces. Each report uses the basic endpoint request with report-specific parameters such as uploads or message operations. |
| Google Cloud | The Google Cloud activity report returns information about various activity events related to the Cloud OS Login API. |
| Google Keep | The Keep activity report returns information about how your account’s users manage and modify their notes. Each report uses the basic endpoint request with report-specific parameters such as attachment upload information or note operations. |
| Google Meet | The Meet activity report returns information about various aspects of call events. Each report uses the basic endpoint request with report-specific parameters such as abuse report data or livestream watch data. |
| Gplus | The Google+ application’s activity reports return information about various Google+ activity events. |
| Groups | The Google Groups application’s activity reports return information about various Groups activity events. |
| Enterprise Groups | The Enterprise Groups activity reports return information about various Enterprise group activity events. |
| Jamboard | The Jamboard activity report returns information about changes to Jamboard device settings. Each report uses the basic endpoint request with report-specific parameters such as licensing or device pairing settings. |
| Login | The Login application’s activity reports return account information about different types of Login activity events. |
| Mobile | The Mobile Audit activity reports return information about different types of Mobile Audit activity events. |
| Rules | The Rules activity reports return information about different types of Rules activity events. |
| Token | The Token application’s activity reports return account information about different types of Token activity events. |
| SAML | The SAML activity report returns information about the results of SAML login attempted. Each report uses the basic endpoint request with report-specific parameters such as the failure type and SAML application name. |
| User Accounts | The User Accounts application’s activity reports return account information about different types of User Accounts activity events. |
| Vault | The logs of actions performed in the Vault console, such as which users edited retention rules or downloaded export files. |
Setup
Installation
See the Google Workspace Admin SDK Reports API: Prerequisites documentation to confirm prerequisites before configuring the Datadog-Google Workspace integration.
Certain OAuth scopes may be required for setup, as documented in the Google Workspace Admin SDK Authorize Requests page. Follow the steps in that page’s configure OAuth consent section to define appropriate scoping.
Notes:
- Choose Reports API scopes to provide the minimum level of access required.
- You do not need to create access credentials for the app.
To configure the Datadog Google Workspace integration, click on the Connect a new Google Workspace domain button in your Datadog-Google Workspace integration tile and authorize Datadog to access the Google Workspace Admin API.
Data Collected
Logs
See the Google Workspace Admin SDK documentation for the full list of collected logs and their content.
Note: The Groups, Enterprise Groups, Login, Token, and Calendar logs are on a 90 minute crawler because of a limitation in how often Google polls these logs on their side. Logs from this integration are only forwarded every 1.5-2 hours.
Metrics
The Google Workspace integration does not include any metrics.
Events
The Google Workspace integration does not include any events.
Service Checks
The Google Workspace integration does not include any Service Checks.
Troubleshooting
Need help? Contact Datadog support.
