Google Workspace Audit

• How it works
• Prerequisites
• Setup Instructions
  • Step 1: Create a Google Cloud Project
  • Step 2: Enable Admin SDK API
  • Step 3: Create Service Account
  • Step 4: Create and Download Key
  • Step 5: Enable Domain-Wide Delegation
  • Step 6: Authorize in Google Workspace
  • Step 7: Configure Source in Datable
• Audit Events by Service
  • Admin Console Events
  • Gmail Events
  • Drive Events
  • Calendar Events
  • Meet Events
  • Vault Events
  • Mobile Device Events
• Configuration Options
  • Application Selection
  • Event Filtering
  • Historical Data
  • Polling Frequency
• Use Cases
  • Security Monitoring
  • Compliance Auditing
  • User Activity Analysis
  • Incident Investigation
• Advanced Features
  • Alert Rules
  • Data Enrichment
  • Custom Reports
• Troubleshooting
  • No Events Appearing
  • Authentication Errors
  • Missing Events
  • Rate Limiting
• Security Best Practices
  • Service Account Security
  • Scope Management
  • Access Control
  • Data Protection
• Performance Optimization
  • API Efficiency
  • Data Volume Management
• Workspace Edition Features
  • Business Starter/Standard
  • Business Plus
  • Enterprise
• Integration Best Practices
• Support

Datable integrates with Google Workspace Audit API to collect detailed audit logs across all Google Workspace services, providing comprehensive visibility into administrative actions, security events, and user activities.

How it works

The Google Workspace Audit integration uses the Admin SDK Reports API to collect audit events from your Google Workspace domain. This includes administrative changes, security events, data access logs, and service-specific activities across Gmail, Drive, Calendar, Meet, and other Workspace applications.

Prerequisites

• Google Workspace Administrator access
• Google Cloud Platform project
• Service account with domain-wide delegation
• Admin SDK API enabled

Setup Instructions

Step 1: Create a Google Cloud Project

1. Go to Google Cloud Console
2. Create a new project or select existing
3. Note the Project ID for later use

Step 2: Enable Admin SDK API

1. In Cloud Console, navigate to APIs & Services → Library
2. Search for "Admin SDK API"
3. Click on it and select Enable

Step 3: Create Service Account

1. Navigate to IAM & Admin → Service Accounts
2. Click Create Service Account
3. Configure:
   • Name: "Datable Audit Integration"
   • Description: "Service account for Datable audit log collection"
4. Click Create and Continue
5. Skip optional permissions
6. Click Done

Step 4: Create and Download Key

1. Click on the created service account
2. Navigate to Keys tab
3. Click Add Key → Create new key
4. Select JSON format
5. Click Create to download the key file
6. Store this file securely

Step 5: Enable Domain-Wide Delegation

1. In the service account details, click Show Advanced Settings
2. Under Domain-wide delegation, click View Client ID
3. Copy the Client ID
4. Check Enable Google Workspace Domain-wide Delegation
5. Save changes

Step 6: Authorize in Google Workspace

1. Go to Google Admin Console
2. Navigate to Security → API Controls → Domain-wide delegation
3. Click Add new
4. Enter:
   • Client ID: From Step 5
   • OAuth Scopes:

     https://www.googleapis.com/auth/admin.reports.audit.readonly
     https://www.googleapis.com/auth/admin.directory.user.readonly
     https://www.googleapis.com/auth/admin.directory.group.readonly

5. Click Authorize

Step 7: Configure Source in Datable

1. Navigate to Sources in Datable
2. Select Google Workspace Audit
3. Provide configuration:
   • Source Name: Descriptive name
   • Service Account Key: Upload JSON key file
   • Admin Email: Super Admin email address
   • Domain: Your Google Workspace domain
   • Applications: Select which apps to monitor
4. Click Save

Audit Events by Service

Admin Console Events

• User management (creation, deletion, suspension)
• Group management
• Organizational unit changes
• Admin role assignments
• Security settings modifications
• Domain settings changes
• Device management actions

Gmail Events

• Email sends and receives (metadata only)
• Delegated access changes
• Filter creation/modification
• Forwarding configuration
• IMAP/POP settings
• Confidential mode usage

Drive Events

• File creation, modification, deletion
• Sharing and permission changes
• External sharing events
• Team Drive operations
• File downloads and views
• DLP rule violations
• Ownership transfers

Calendar Events

• Calendar creation and sharing
• Event creation and modifications
• Resource booking
• External participant additions
• Calendar delegation

Meet Events

• Meeting creation and settings
• Participant join/leave
• Recording start/stop
• Screen sharing events
• Meeting quality issues
• Breakout room activities

Vault Events

• Matter creation and closure
• Hold creation and release
• Search and export operations
• Retention rule changes

Mobile Device Events

• Device enrollment
• Device blocking/wiping
• App installations
• Policy applications

Configuration Options

Application Selection

Choose which applications to monitor:

• Admin
• Calendar
• Drive
• Gmail (Chat/Spaces)
• Groups
• Login
• Meet
• Mobile
• Rules
• Token
• User Accounts
• Vault

Event Filtering

Filter by event types:

• Security events only
• Administrative actions
• User activities
• External sharing
• Specific event names

Historical Data

Configure initial data collection:

• Maximum 180 days of historical data
• Selective backfill by application
• Date range specification

Polling Frequency

Set collection intervals:

• Minimum: 5 minutes
• Recommended: 15 minutes
• Consider API quotas

Use Cases

Security Monitoring

• Detect unauthorized admin actions
• Monitor external sharing
• Track suspicious login attempts
• Identify data exfiltration
• Monitor third-party app access

Compliance Auditing

• Maintain audit trails for regulations
• Track data access and modifications
• Monitor privileged operations
• Generate compliance reports
• Document retention compliance

User Activity Analysis

• Track productivity patterns
• Monitor collaboration
• Analyze adoption rates
• Identify training needs

Incident Investigation

• Trace security incidents
• Investigate data breaches
• Track insider threats
• Document incident timeline

Advanced Features

Alert Rules

Configure alerts for:

• Admin role changes
• Mass data downloads
• External sharing spikes
• Failed login attempts
• Suspicious IP addresses

Data Enrichment

Enhance events with:

• User profile information
• Group memberships
• Organizational unit data
• Device information
• IP geolocation

Custom Reports

Generate reports for:

• Executive summaries
• Department activity
• Security incidents
• Compliance audits
• License utilization

Troubleshooting

No Events Appearing

1. Verify API is enabled:

   • Check Admin SDK API status in Cloud Console

2. Validate service account:

gcloud auth activate-service-account --key-file=key.json
gcloud auth print-access-token

3. Test API access:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin"

Authentication Errors

• Verify domain-wide delegation is enabled
• Check OAuth scopes are correctly authorized
• Ensure admin email has Super Admin role
• Validate service account key hasn't expired

Missing Events

• Some events require specific Workspace editions
• Check application-specific audit settings
• Verify user has appropriate licenses
• Review data retention settings (6 months for most events)

Rate Limiting

Google Workspace API limits:

• 5 QPS per user
• Daily quotas vary by edition

Handle with:

• Request batching
• Exponential backoff
• Quota monitoring

Security Best Practices

Service Account Security

• Store keys in secure vault
• Rotate keys every 90 days
• Use separate accounts per environment
• Monitor key usage

Scope Management

• Grant minimum required scopes
• Use read-only scopes
• Review scope usage regularly
• Document scope requirements

Access Control

• Limit domain-wide delegation
• Use dedicated admin account
• Enable 2FA for admins
• Review admin audit logs

Data Protection

• Encrypt keys at rest
• Use secure channels
• Implement data retention
• Mask sensitive information

Performance Optimization

API Efficiency

• Batch requests when possible
• Use filters to reduce data
• Implement incremental sync
• Cache frequently accessed data

Data Volume Management

• Filter unnecessary events
• Aggregate similar events
• Archive historical data
• Implement sampling for high-volume events

Workspace Edition Features

Business Starter/Standard

• Basic audit events
• 6-month retention
• Standard API quotas

Business Plus

• Extended audit events
• Advanced security insights
• Higher API quotas
• Vault integration

Enterprise

• Complete audit coverage
• BigQuery export
• Advanced DLP events
• Context-aware access logs

Integration Best Practices

1. Start with Core Services: Begin with Admin and Drive audits
2. Implement Gradually: Add services incrementally
3. Test in Staging: Validate in non-production first
4. Monitor API Usage: Track quota consumption
5. Document Configuration: Maintain setup documentation
6. Regular Reviews: Audit access and permissions quarterly
7. Automate Alerts: Set up critical event notifications

Support

For additional support with the Google Workspace Audit integration, please contact the Datable support team or refer to the Google Workspace Admin SDK documentation.