Enhance Your Security Posture with Splunk + Google Workspace

Partners Splunk

Business productivity and collaboration suites preferred by enterprise customers, such as Google Workspace, are central to an organization’s operation. In addition to storing sensitive org info, Google Workspace includes settings (e.g. Google Groups) which control access to sensitive data across a customer's entire Google Cloud org (Workspace & GCP).

Collecting and analyzing the audit logs generated by these services is the critical first step to detecting and investigating potential security incidents. With the launch of the Splunk Add-On for Google Workspace, Splunk customers now have a Splunk-supported, high-quality option for the collection and preparation of critical audit events from their Google Workspace deployment.

“The Splunk Add-on For Google Workspace enabled my customer to collect this critical data source at scale in a reliable and supported manner in Splunk Cloud.” - Brett Adams, Senior Technical Consultant, NTT

This first iteration of the Google Workspace integration is focused on utilizing the Reports API to collect foundational Activity Audit events including Admin, Login, OAuthToken, SAML and Google Drive. Google Workspace audit events are automatically tagged with proper sourcetypes which are compliant with the Splunk Common Information Model (CIM) and can be leveraged using premium Splunk apps like Splunk Enterprise Security. You can therefore continue to use existing Splunk security content and dashboards to analyze these events.

Google Workspace Activity Audit events can be used to detect indications of compromise and answer key investigation questions, including the following examples:


Splunk Enterprise Security Access Anomalies dashboard

Splunk is already working on the next major enhancement to the integration. The second iteration of the Google Workspace integration will be primarily focused on collection and preparation of Gmail metadata. The email body will not be collected or stored in Splunk, however, to both optimize storage and limit privacy concerns. Having Gmail header information in Splunk will support critical threat detections including phishing and exfiltration. We believe this capability, combined with the audit events included in the first release, will provide customers a solid body of security data.

We invite you to check out the new Splunk Add-On for Google Workspace and stay tuned – there's lots more Splunky goodness to come!

Thanks to Todd McFarlane-Smith, Yemi Falokun, and Roy Arsan from Google for their continued product collaboration and support for joint customers.

----------------------------------------------------
Thanks!
Mark Karlstrand

Related Articles

Insane in the Mainframe! Splunk and IBM Partner to Provide End-to-End Visibility for Joint Customers
Partners
2 Minute Read

Insane in the Mainframe! Splunk and IBM Partner to Provide End-to-End Visibility for Joint Customers

Splunk and IBM have partnered to help joint customers integrate IBM Z (Mainframe) Data and Insights into Splunk software for true end-to-end visibility
Monitor Salesforce’s Real-Time Events with Splunk
Partners
2 Minute Read

Monitor Salesforce’s Real-Time Events with Splunk

The power of the new Splunk integration with Salesforce's Real-Time Event Monitoring (RTEM) enables customers to track security concerns such as failed logins, suspicious login-as activities and high risk permission modifications. Find out more in this blog.
Splunk Leverages Intel's AI Technology to Power Video Insights
Partners
2 Minute Read

Splunk Leverages Intel's AI Technology to Power Video Insights

As companies awaken to the unbiased truth of machine data, they will increasingly recognize the key to transforming their business is correlating disparate data sets across their enterprise. At Splunk, our ecosystem is innovating with data every day, bringing new and exciting solutions that accelerate business at the speed of data inside the cloud or at the edge.