Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Google Workspace Activities data connector provides the capability to ingest Activity Events from Google Workspace API into Microsoft Sentinel.
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
| Column | Type | Description |
|---|---|---|
| AccountState | string | Parameter to indicate the account state on the device. |
| ActorApplicationInfoApplicationName | string | |
| ActorApplicationInfoImpersonation | bool | |
| ActorApplicationInfoOauthClientId | string | |
| ActorCallerType | string | |
| ActorEmail | string | |
| ActorIsCollaboratorAccount | bool | Indicates whether the actor is a collaborator account. |
| ActorKey | string | |
| ActorProfileId | string | |
| ApiKind | string | The kind of API request made. |
| ApplicationEdition | string | The Google Workspace edition. |
| ApplicationName | string | |
| AppName | string | |
| Billable | bool | Whether this activity is billable. |
| _BilledSize | real | The record size in bytes |
| BrowserVersion | string | |
| CalendarId | string | Calendar Id of the relevant calendar in context of this action (for example the calendar that an event is on, or a calendar being subscribed to). Usually takes the form of the user's email address. |
| ChromeOrgUnitId | string | |
| ClientId | string | Client ID to which access has been granted / revoked. |
| ClientType | string | |
| ContentHash | string | |
| ContentName | string | |
| ContentRiskLevel | string | |
| ContentSize | string | |
| ContentTransferMethod | string | |
| ContentType | string | |
| DestinationFolderId | string | The unique identifier of the destination folder. |
| DestinationFolderTitle | string | The title of the destination folder. |
| DestUserUpn | string | |
| DeviceId | string | |
| DeviceName | string | |
| DevicePlatform | string | |
| DeviceType | string | |
| DeviceUser | string | |
| DocId | string | The unique identifier of the document. |
| DocTitle | string | The title of the document. |
| DocType | string | The type of the document. |
| DstUserUpn | string | |
| DvcGuid | string | The unique identifier of the device used. |
| DvcInterfaceGuid | string | The unique identifier of the device interface. |
| DvcModelName | string | The model name of the device used. |
| DvcModelNumber | string | The model number of the device used. |
| DvcType | string | The type of the device used. |
| Etag | string | |
| EventEndTime | string | The end time of the event. |
| EventGuest | string | The email address of the event guest. |
| EventId | string | The unique identifier of the event. |
| EventMessage | string | The name of the event. |
| EventName | string | |
| EventOriginalMessage | string | An array representing a chain of events, where each element is a sub-event. |
| EventProduct | string | The product associated with the event. |
| EventResourceId | string | |
| EventResourceName | string | |
| EventResponseStatus | string | The response status of the event. |
| EventResult | string | |
| EventStartTime | string | The start time of the event. |
| EventTitle | string | The title of the event. |
| EventType | string | |
| EventUid | string | The unique identifier of the event. |
| EventVendor | string | The vendor of the event. |
| GroupDomain | string | The organizational unit (OU) name (path). |
| GroupEmail | string | |
| IdApplicationName | string | |
| IdCustomerId | string | |
| IdTime | string | |
| IdUniqueQualifier | string | |
| IosVendorId | string | The vendor ID for iOS devices. |
| IosVendorUID | string | The vendor UID for iOS devices. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsSecondFactor | bool | Indicates if the event involves a second-factor authentication attempt. |
| IsSuspicious | bool | Indicates if the event is considered suspicious. |
| Kind | string | |
| LastSyncAuditDate | string | The date of the last synchronization audit. |
| LoginChallengeMethod | string | The method used for the login challenge. |
| LoginChallengeStatus | string | The status of the login challenge. |
| LoginType | string | The type of credentials used to attempt login. |
| ModuleName | string | The new license for this product name. |
| NetworkInfoRegionCode | string | |
| NetworkInfoSubdivisionCode | string | |
| NetworkIpAsn | dynamic | |
| NewValue | string | |
| NotificationMessageId | string | The notification message Id. |
| NotificationMethod | string | The method used for the notification. |
| NotificationType | string | The type of notification. |
| OldEventTitle | string | If the title of a calendar event has been changed, this is the previous title of the event. |
| OldValue | string | |
| OldVisibility | string | Old Visibility of Target File. |
| OrganizerCalendarId | string | Calendar Id of this Event's organizer. |
| OrgUnitName | string | |
| OriginatingAppId | string | The Google Cloud Project ID of the application that performed the action. |
| OsProperty | string | Operating System properties. |
| Owner | string | The owner of the resource involved in the event. |
| OwnerDomain | string | |
| OwnerEmail | string | |
| OwnerIsSharedDrive | bool | Indicates if the owner is a shared drive. |
| OwnerIsTeamDrive | bool | Indicates if the owner is a team drive. |
| PrimaryEvent | bool | Indicates if the event is the primary event in a chain of events. |
| ProcessName | string | The unique name (ID) of the setting that was changed. |
| ProfileUserName | string | |
| RegisterPrivelege | string | Device Policy app's privilege on the user's device. |
| Resource_Id | string | The unique resource Id of the device. |
| ResourceDetails | dynamic | |
| RoleName | string | The unique name (ID) of the role assigned to the user. |
| RuleName | string | |
| ScanId | string | |
| Scope | string | The scope of the access request. |
| ScopeData | string | Additional data related to the scope. |
| SerialNumber | string | The serial number of the device. |
| SharedDriveId | string | |
| SourceFolderId | string | The ID of the source folder if the document is located in a shared drive. |
| SourceFolderTitle | string | The title of the source folder if the document is located in a shared drive. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SrcIpAddr | string | |
| TargetCalendarId | string | The ID of the calendar targeted by the event. |
| TargetDomain | string | |
| TargetUserDomain | string | The domain targeted by the event. |
| TargetUserName | string | The user targeted by the event. |
| TeamDriveId | string | |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | |
| Timestamp | string | |
| TriggerDestination | string | |
| TriggerSource | string | |
| TriggerType | string | |
| Type | string | The name of the table |
| Url | string | |
| UserAadid | string | This ID helps correlate events and activities to the correct Google Workspace tenant. |
| UserAgent | string | |
| UserAgentOriginal | string | The user agent from the request that triggered this action. |
| UserEmail | string | |
| Value | string | |
| VirtualDeviceId | string | |
| Visibility | string | |
| VisibilityChange | string |