Query announces the Google Workspace Admin SDK Reports API Connector!
Google Workspace (formerly known as G-Suite) is a cloud-based productivity suite that offers tools for collaboration, communication, and organization, such as Gmail, Google Drive, Google Calendar, and Google Meet. It enables businesses to streamline workflows, manage files securely, and collaborate in real-time across various locations and devices.
Security and IT personnel use Google Workspace to manage user access, enforce security policies, and monitor activity, helping protect organizational data through advanced security features like two-step verification, data loss prevention (DLP), and mobile device management (MDM). Google Workspace’s centralized admin console provides IT teams with powerful tools for user management, security insights, and policy enforcement to safeguard company information.
As of 1 DEC 2024, Query integrates with Google Workspace across three distinct Connectors associated with data surfaced by the following APIs: Directory API, Reports API and the Gmail Messages API. This separation of Connectors by API allows customers to assign different Service Accounts, different delegations, and limit overall access to certain APIs to different Teams and Organizations within Query. The following capabilities are supported from the aforementioned APIs. Refer to the API-specific documentation in Query for more information on how to configure specific connectivity.
All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.
| API Name | Source Name | QDM/OCSF Event Class | Entities/Observables |
| Reports | admin | Web Resources Activity | Email AddressIP AddressUser IDUser Name |
| Reports | drive | File Hosting Activity | Email AddressIP AddressUser IDUser Name |
| Reports | login | AuthenticationAccount ChangeAPI Activity | Email AddressIP AddressUser IDUser Name |
| Reports | token | Authorize Session | Email AddressIP AddressUser IDUser Name |
| Reports | mobile | Device Config State Change | Email AddressIP AddressUser IDUser Name |
Executing federated searches with Query allows you to pull all relevant data for your search criteria back in a parallelized, normalized, and standardized format without ever moving or duplicating the data into another data repository.
A bit on Reports API Normalization for login
The Reports API Activity of Logins (applicationName=login) covers everything from authentication, suspicious activity, inbox filtering events, and user/membership/token changes so specific Event Names are normalized into different QDM Event Classes.
Account Change: 2sv_enroll, 2sv_disable, recovery_email_edit, recovery_phone_edit, recovery_secret_qa_edit, password_edit
API Activity: blocked_sender
Authentication: Everything else!
For more information, refer to our documentation here.
