Enhance Your Security Posture with Splunk + Google Workspace

Partners Splunk

Business productivity and collaboration suites preferred by enterprise customers, such as Google Workspace, are central to an organization’s operation. In addition to storing sensitive org info, Google Workspace includes settings (e.g. Google Groups) which control access to sensitive data across a customer's entire Google Cloud org (Workspace & GCP).

Collecting and analyzing the audit logs generated by these services is the critical first step to detecting and investigating potential security incidents. With the launch of the Splunk Add-On for Google Workspace, Splunk customers now have a Splunk-supported, high-quality option for the collection and preparation of critical audit events from their Google Workspace deployment.

“The Splunk Add-on For Google Workspace enabled my customer to collect this critical data source at scale in a reliable and supported manner in Splunk Cloud.” - Brett Adams, Senior Technical Consultant, NTT

This first iteration of the Google Workspace integration is focused on utilizing the Reports API to collect foundational Activity Audit events including Admin, Login, OAuthToken, SAML and Google Drive. Google Workspace audit events are automatically tagged with proper sourcetypes which are compliant with the Splunk Common Information Model (CIM) and can be leveraged using premium Splunk apps like Splunk Enterprise Security. You can therefore continue to use existing Splunk security content and dashboards to analyze these events.

Google Workspace Activity Audit events can be used to detect indications of compromise and answer key investigation questions, including the following examples:


Splunk Enterprise Security Access Anomalies dashboard

Splunk is already working on the next major enhancement to the integration. The second iteration of the Google Workspace integration will be primarily focused on collection and preparation of Gmail metadata. The email body will not be collected or stored in Splunk, however, to both optimize storage and limit privacy concerns. Having Gmail header information in Splunk will support critical threat detections including phishing and exfiltration. We believe this capability, combined with the audit events included in the first release, will provide customers a solid body of security data.

We invite you to check out the new Splunk Add-On for Google Workspace and stay tuned – there's lots more Splunky goodness to come!

Thanks to Todd McFarlane-Smith, Yemi Falokun, and Roy Arsan from Google for their continued product collaboration and support for joint customers.

----------------------------------------------------
Thanks!
Mark Karlstrand

Related Articles

We’re Open! The Splunk Immersive Experience, powered by AWS is officially launched
Partners
2 Minute Read

We’re Open! The Splunk Immersive Experience, powered by AWS is officially launched

The newly launched Splunk Immersive Experience brings to life the tangible customer problems Splunk and AWS help to solve through a guided journey of industry specific use cases and challenges. Showing new and emerging ways to get the most out of both Splunk and AWS.
Splunk Delivers Real-Time Salesforce Visibility with New Streaming API Integration
Partners
3 Minute Read

Splunk Delivers Real-Time Salesforce Visibility with New Streaming API Integration

Great news … Splunk and Salesforce have your back. Salesforce has created a new Streaming API that is available at no extra cost as part of Salesforce’s powerful Event Monitoring capability. Real-time events are critical to immediately identify and respond to internal and external threats to sensitive data or performance bottlenecks.
Advancing AI, Automation, and Sovereign Cloud: What’s New in the Splunk + Microsoft Partnership
Partners
5 Minute Read

Advancing AI, Automation, and Sovereign Cloud: What’s New in the Splunk + Microsoft Partnership

From AI-powered workflows that turn insights into action to sovereign cloud deployments, here’s what’s new—and why it matters.