Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Google Workspace Activities data connector provides the capability to ingest Activity Events from Google Workspace API into Microsoft Sentinel.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AccountState | string | Parameter to indicate the account state on the device. |
| ActorCallerType | string | The type of actor. |
| ActorEmail | string | The email address of the actor. |
| ActorIsCollaboratorAccount | bool | Indicates whether the actor is a collaborator account. |
| ActorKey | string | Indicates the unique key of the actor. |
| ActorProfileId | string | The unique Google Workspace profile ID of the actor. |
| ApiKind | string | The kind of API request made. |
| ApplicationEdition | string | The Google Workspace edition. |
| ApplicationName | string | The application's name. |
| AppName | string | The name of the application making the API request. |
| Billable | bool | Whether this activity is billable. |
| _BilledSize | real | The record size in bytes |
| CalendarId | string | Calendar Id of the relevant calendar in context of this action (for example the calendar that an event is on, or a calendar being subscribed to). Usually takes the form of the user's email address. |
| ClientId | string | Client ID to which access has been granted / revoked. |
| ClientType | string | The type of client making the request. |
| DestinationFolderId | string | The unique identifier of the destination folder. |
| DestinationFolderTitle | string | The title of the destination folder. |
| DestUserUpn | string | |
| DocId | string | The unique identifier of the document. |
| DocTitle | string | The title of the document. |
| DocType | string | The type of the document. |
| DstUserUpn | string | |
| DvcGuid | string | The unique identifier of the device used. |
| DvcInterfaceGuid | string | The unique identifier of the device interface. |
| DvcModelName | string | The model name of the device used. |
| DvcModelNumber | string | The model number of the device used. |
| DvcType | string | The type of the device used. |
| Etag | string | An entity tag used for concurrency control. |
| EventEndTime | string | The end time of the event. |
| EventGuest | string | The email address of the event guest. |
| EventId | string | The unique identifier of the event. |
| EventMessage | string | The name of the event. |
| EventOriginalMessage | string | An array representing a chain of events, where each element is a sub-event. |
| EventProduct | string | The product associated with the event. |
| EventResponseStatus | string | The response status of the event. |
| EventStartTime | string | The start time of the event. |
| EventTitle | string | The title of the event. |
| EventType | string | The type of the event. |
| EventUid | string | The unique identifier of the event. |
| EventVendor | string | The vendor of the event. |
| GroupDomain | string | The organizational unit (OU) name (path). |
| IdApplicationName | string | The name of the application. |
| IosVendorId | string | The vendor ID for iOS devices. |
| IosVendorUID | string | The vendor UID for iOS devices. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsSecondFactor | bool | Indicates if the event involves a second-factor authentication attempt. |
| IsSuspicious | bool | Indicates if the event is considered suspicious. |
| LastSyncAuditDate | string | The date of the last synchronization audit. |
| LoginChallengeMethod | string | The method used for the login challenge. |
| LoginChallengeStatus | string | The status of the login challenge. |
| LoginType | string | The type of credentials used to attempt login. |
| ModuleName | string | The new license for this product name. |
| NeqValue | string | The new license SKU. |
| NotificationMessageId | string | The notification message Id. |
| NotificationMethod | string | The method used for the notification. |
| NotificationType | string | The type of notification. |
| OldEventTitle | string | If the title of a calendar event has been changed, this is the previous title of the event. |
| OldValue | string | The previous advertising option. |
| OldVisibility | string | Old Visibility of Target File. |
| OrganizerCalendarId | string | Calendar Id of this Event's organizer. |
| OriginatingAppId | string | The Google Cloud Project ID of the application that performed the action. |
| OsProperty | string | Operating System properties. |
| Owner | string | The owner of the resource involved in the event. |
| OwnerDomain | string | The domain of the owner of the resource involved in the event. |
| OwnerIsSharedDrive | bool | Indicates if the owner is a shared drive. |
| OwnerIsTeamDrive | bool | Indicates if the owner is a team drive. |
| PrimaryEvent | bool | Indicates if the event is the primary event in a chain of events. |
| ProcessName | string | The unique name (ID) of the setting that was changed. |
| RegisterPrivelege | string | Device Policy app's privilege on the user's device. |
| Resource_Id | string | The unique resource Id of the device. |
| RoleName | string | The unique name (ID) of the role assigned to the user. |
| Scope | string | The scope of the access request. |
| ScopeData | string | Additional data related to the scope. |
| SerialNumber | string | The serial number of the device. |
| SharedDriveId | string | The shared drive root ID if the document owner is a shared drive. |
| SourceFolderId | string | The ID of the source folder if the document is located in a shared drive. |
| SourceFolderTitle | string | The title of the source folder if the document is located in a shared drive. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SrcIpAddr | string | The IP address from which the action was performed. |
| TargetCalendarId | string | The ID of the calendar targeted by the event. |
| TargetUserDomain | string | The domain targeted by the event. |
| TargetUserName | string | The user targeted by the event. |
| TeamDriveId | string | |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | |
| Type | string | The name of the table |
| UserAadid | string | This ID helps correlate events and activities to the correct Google Workspace tenant. |
| UserAgentOriginal | string | The user agent from the request that triggered this action. |
| UserEmail | string | The user's primary email address. |
| Visibility | string | Visibility associated with the event. |
| VisibilityChange | string |