Google Workspace Reports

Solution: GoogleWorkspaceReports

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.4
Author	Microsoft - support@microsoft.com
First Published	2022-01-24
Last Updated	2026-03-27
Solution Folder	GoogleWorkspaceReports
Marketplace	Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🔵 Medium (72%)

The Google Workspace solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Microsoft Sentinel Codeless Connector Framework

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 23 table(s):

Table	Used By Connectors	Used By Content
`GWorkspace_ReportsAPI_access_transparency_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_admin_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_calendar_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_chat_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_chrome_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_context_aware_access_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_data_studio_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_drive_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_gcp_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_gplus_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_groups_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_groups_enterprise_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_jamboard_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_keep_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_login_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_meet_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_mobile_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_rules_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_saml_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_token_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GWorkspace_ReportsAPI_user_accounts_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks
`GoogleWorkspaceReports`	Google Workspace Activities (via Codeless Connector Framework)	-
`GoogleWorkspaceReports_CL` 🔶	[DEPRECATED] Google Workspace (G Suite)	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 26 content item(s) (24 in solution, 2 discovered 🔍):

Content Type	Total	In Solution	Discovered
Hunting Queries	14	12	2
Analytic Rules	10	10	-
Workbooks	1	1	-
Parsers	1	1	-

Analytic Rules

Name	Severity	Tactics	Tables Used
GWorkspace - API Access Granted	Medium	DefenseEvasion, LateralMovement	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Admin permissions granted	High	Persistence	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Alert events	High	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - An Outbound Relay has been added to a G Suite Domain	Medium	Collection	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Multiple user agents for single source	Medium	Persistence, Collection	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Possible brute force attack	Medium	CredentialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Possible maldoc file name in Google drive	Medium	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Two-step authentification disabled for a user	Medium	CredentialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Unexpected OS update	Medium	DefenseEvasion, Persistence	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - User access has been changed	Low	Persistence	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`

Hunting Queries

Name	Tactics	Tables Used
GWorkspace - Document Copied from Share Drive to Private Drive ⚠️	Exfiltration, Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Document shared externally	Exfiltration, Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Document shared publicy in web	Exfiltration, Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Document shared publicy with link	Exfiltration, Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - License Revoke and Assignment to User ⚠️	Exfiltration	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Multi IP addresses by user	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Possible SCAM/SPAM or Phishing via Calendar	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Rare document types by users	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Shared private document	Exfiltration, Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Suspended users	Impact	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Uncommon user agent strings	Persistence, Collection	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Unknown login type	InitialAccess, DefenseEvasion, LateralMovement	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - User reported calendar invite as spam	InitialAccess	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`
GWorkspace - Users with several devices	InitialAcces	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`

Workbooks

Name Tables Used

Name	Tables Used
GoogleWorkspace	`GWorkspace_ReportsAPI_access_transparency_CL` `GWorkspace_ReportsAPI_admin_CL` `GWorkspace_ReportsAPI_calendar_CL` `GWorkspace_ReportsAPI_chat_CL` `GWorkspace_ReportsAPI_chrome_CL` `GWorkspace_ReportsAPI_context_aware_access_CL` `GWorkspace_ReportsAPI_data_studio_CL` `GWorkspace_ReportsAPI_drive_CL` `GWorkspace_ReportsAPI_gcp_CL` `GWorkspace_ReportsAPI_gplus_CL` `GWorkspace_ReportsAPI_groups_CL` `GWorkspace_ReportsAPI_groups_enterprise_CL` `GWorkspace_ReportsAPI_jamboard_CL` `GWorkspace_ReportsAPI_keep_CL` `GWorkspace_ReportsAPI_login_CL` `GWorkspace_ReportsAPI_meet_CL` `GWorkspace_ReportsAPI_mobile_CL` `GWorkspace_ReportsAPI_rules_CL` `GWorkspace_ReportsAPI_saml_CL` `GWorkspace_ReportsAPI_token_CL` `GWorkspace_ReportsAPI_user_accounts_CL` `GoogleWorkspaceReports_CL`

GoogleWorkspace

Parsers

Name	Description	Tables Used
GWorkspaceActivityReports	-	`GWorkspace_ReportsAPI_access_transparency_CL` (read) `GWorkspace_ReportsAPI_admin_CL` (read) `GWorkspace_ReportsAPI_calendar_CL` (read) `GWorkspace_ReportsAPI_chat_CL` (read) `GWorkspace_ReportsAPI_chrome_CL` (read) `GWorkspace_ReportsAPI_context_aware_access_CL` (read) `GWorkspace_ReportsAPI_data_studio_CL` (read) `GWorkspace_ReportsAPI_drive_CL` (read) `GWorkspace_ReportsAPI_gcp_CL` (read) `GWorkspace_ReportsAPI_gplus_CL` (read) `GWorkspace_ReportsAPI_groups_CL` (read) `GWorkspace_ReportsAPI_groups_enterprise_CL` (read) `GWorkspace_ReportsAPI_jamboard_CL` (read) `GWorkspace_ReportsAPI_keep_CL` (read) `GWorkspace_ReportsAPI_login_CL` (read) `GWorkspace_ReportsAPI_meet_CL` (read) `GWorkspace_ReportsAPI_mobile_CL` (read) `GWorkspace_ReportsAPI_rules_CL` (read) `GWorkspace_ReportsAPI_saml_CL` (read) `GWorkspace_ReportsAPI_token_CL` (read) `GWorkspace_ReportsAPI_user_accounts_CL` (read) `GoogleWorkspaceReports_CL` (read)

⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.

Release Notes

Version	Date Modified (DD-MM-YYY)	Change History
3.0.4	26-03-2026	Updated Data Connector Configuration steps
3.0.3	21-01-2026	Updated Data Connector to support dynamic Redirect URI
3.0.2	26-08-2025	Moving GoogleWorkspaceReports CCF Data Connector to GA.
3.0.1	14-07-2025	Added new CCF Data Connector.
3.0.0	06-09-2024	Updated the python runtime version to 3.11.