Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
G Suite Activities | ✅ | ✅ | ✅ | gsuite_activity | NDJSON | API | |
G Suite Alerts | ✅ | ✅ | gsuite_alert | NDJSON | API | ||
G Suite Directory Users | ✅ | uite_directory_users | NDJSON | API |
Overview
.png?sv=2022-11-02&spr=https&st=2025-05-10T08%3A58%3A14Z&se=2025-05-10T09%3A11%3A14Z&sr=c&sp=r&sig=SSDIosrqvPB%2BKDwREONMhZiX8%2FS%2FBubj2wx1FnHvej8%3D)
Google Workspace, formerly known as G Suite, is a collection of cloud-based productivity and collaboration tools designed to help teams work efficiently from anywhere. It includes popular applications like Gmail, Google Drive, Docs, Sheets, Slides, Meet, and Calendar, all seamlessly integrated to streamline workflows. With advanced security features, intelligent collaboration tools, and flexible storage options, Google Workspace caters to businesses of all sizes, schools, and non-profits. Its user-friendly interface and real-time collaboration capabilities make it a powerful solution for boosting productivity, fostering teamwork, and enabling remote work effectively.
Supported data types
G Suite Activities
Table name: gsuite_activity
G Suite (now Google Workspace) Activity Logs track user and admin actions, such as file sharing, email access, and account sign-ins. These logs help monitor behavior, ensure compliance, and investigate security incidents. Accessible via the Admin Console and BigQuery, they provide insights for auditing, reporting, and maintaining a secure environment.
G Suite Alerts
Table name: gsuite_alert
Google Workspace (formerly G Suite) Alert Logs record security-related events and alerts within your organization, such as suspicious login attempts, data sharing violations, and policy breaches. These logs help admins detect potential threats, track abnormal activities, and respond to security incidents. They can be accessed through the Admin Console, providing valuable insights for proactive security monitoring and incident response.
G Suite Directory Users
Table name: gsuite_directory_users
Google Workspace (formerly G Suite) Directory Users logs capture activities related to user account management, such as user creation, deletion, suspension, and changes to user profiles or group memberships. These logs help administrators track and audit actions taken on user accounts, ensuring compliance and facilitating the detection of unauthorized changes or potential security issues. Accessible through the Admin Console, they support efficient management and monitoring of user activities within the organization.
Send data to Hunters
To enable Hunters' collection and ingestion of Google Workspace logs, you'll need to create a project and service account in Google Cloud Platform (GCP) for Hunters, and connect that to your Google Workspace account.
1. Create a GCP Project
In your organization's Google Cloud Platform console, open the menu and navigate to Cloud Overview > Dashboard.
Click Create Project to start a new project and give it the ID
yourorganization-huntersor something similar. Make sure to select your organization as the parent organization.
Navigate to APIs & Services > Enabled APIs & Services.
Locate and enable the following APIs to allow the Hunters service account to perform requests against them.:
Admin SDK API
Google Workspace Alert Center API
2. Configure OAuth
Within the same project, navigate to APIs and Services > OAuth consent screen.
Under User Type, select Internal, since this will be an internal OAuth application, and then click Create.
Fill in the following fields:
Under App name, enter Hunters.
Under User support email, provide your email address.
Under App logo, upload a logo for the application.
3. Create a Service Account
Within the same project, navigate to APIs and Services > Credentials.
Click Create Credentials > Service Account at the top of the page.
Define the service account with the following details:
Name: Service Account for Hunters (or something similar)
Service Account ID: service-account-for-hunters
Description: Account for sharing data with the Hunters platform.
Click Create and Continue.
This service account does not require a specific role, so click Done to skip.
From the Credentials page, click the name of the service account that was just created.
Navigate to the Keys tab, and then click Add Key > Create New Key.
Select JSON as the key type, and click Create. A JSON key that allows access to that service account will be downloaded. Make note of this for later.
Navigate to the Details tab and make note of the Unique ID of the service account for the next section.
4. Set up Google Workspace Access
In your organization's Google Workspace Admin, navigate to Security > API Controls.
Click Manage Domain Wide Delegation.
Under API Clients, click Add New.
Copy the Unique ID from the previous section into the Client ID field.
Leave Overwrite existing client ID unchecked.
In the OAuth scopes section, add the following scopes as a comma-separated list:
Not comma-separated
https://www.googleapis.com/auth/apps.alerts
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
Comma-separated
https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly
Click Authorize to complete the setup.
5. Configure the Hunters Portal
Complete the process on the Hunters platform, following this guide.
💡Tip
Search for the Gsuite panel.
⚠️ Attention
For the service account owner, enter the email of the admin account (not the service account's email that was created previously).
In the Secret field, enter the contents of the downloaded service account JSON file.
Reference Documentation
Notes
According to various sources, the internal reporting mechanism in several Google Applications has a delay. To cope with this issue, we collect the events using the API with an inherent 1 hour delay. Even so, the ingestion may result in gaps in the ingested data.