Business productivity and collaboration suites preferred by enterprise customers, such as Google Workspace, are central to an organization’s operation. In addition to storing sensitive org info, Google Workspace includes settings (e.g. Google Groups) which control access to sensitive data across a customer's entire Google Cloud org (Workspace & GCP).
Collecting and analyzing the audit logs generated by these services is the critical first step to detecting and investigating potential security incidents. With the launch of the Splunk Add-On for Google Workspace, Splunk customers now have a Splunk-supported, high-quality option for the collection and preparation of critical audit events from their Google Workspace deployment.
“The Splunk Add-on For Google Workspace enabled my customer to collect this critical data source at scale in a reliable and supported manner in Splunk Cloud.” - Brett Adams, Senior Technical Consultant, NTT
This first iteration of the Google Workspace integration is focused on utilizing the Reports API to collect foundational Activity Audit events including Admin, Login, OAuthToken, SAML and Google Drive. Google Workspace audit events are automatically tagged with proper sourcetypes which are compliant with the Splunk Common Information Model (CIM) and can be leveraged using premium Splunk apps like Splunk Enterprise Security. You can therefore continue to use existing Splunk security content and dashboards to analyze these events.
Google Workspace Activity Audit events can be used to detect indications of compromise and answer key investigation questions, including the following examples:
- What users have had more than 3 login failures in the last 24 hours?
- How many user accounts have been suspended in the last month?
- What user accounts have been deleted in the last month?
Splunk Enterprise Security Access Anomalies dashboard
Splunk is already working on the next major enhancement to the integration. The second iteration of the Google Workspace integration will be primarily focused on collection and preparation of Gmail metadata. The email body will not be collected or stored in Splunk, however, to both optimize storage and limit privacy concerns. Having Gmail header information in Splunk will support critical threat detections including phishing and exfiltration. We believe this capability, combined with the audit events included in the first release, will provide customers a solid body of security data.
We invite you to check out the new Splunk Add-On for Google Workspace and stay tuned – there's lots more Splunky goodness to come!
Thanks to Todd McFarlane-Smith, Yemi Falokun, and Roy Arsan from Google for their continued product collaboration and support for joint customers.