Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Data Integration Guide - Google Workspace

The Google Workspace integration enables Living Security Unify to ingest user identity and activity data directly from Google Workspace. It provides centralized visibility into human risk by combining login behavior, MFA adoption, and document access patterns.

Using the Google Admin SDK Directory and Reports APIs, this integration synchronizes user metadata and event activity for risk modeling, identity correlation, and anomaly detection.

Support Streams

Stream

API Endpoint(s)

Description

Users

/admin/directory/v1/users, /admin/directory/v1/users/{userKey}/roleAssignments

Synchronizes identity data including user profile details, organizational info, and admin privileges.

Reports

/admin/reports/v1/activity/users/{userKey}/applications/{applicationName}

Captures login, MFA, document, and account activity from Workspace applications for behavioral analysis.


Configuration

Prerequisites

  • Google Workspace Admin Access (Super Admin role)
  • Access to Google Cloud Console
  • APIs enabled in GCP project:
    • Admin SDK API
    • Directory API v1
    • Reports API v1

Step 1: Create a Service Account

  1. Go to Google Cloud Console.
  2. Select or create a project.
  3. Navigate to IAM & Admin → Service Accounts → Create Service Account.
  4. Provide a name (e.g., “Unify Integration Service Account”).
  5. Click Create and Continue, then Done.

Step 2: Generate a Service Account Key

  1. Open the new service account.
  2. Go to the Keys tab → Add Key → Create new key.
  3. Choose JSON format and download the file.
  4. Store this file securely—it will be used for authentication.

Step 3: Enable Domain-Wide Delegation

  1. In the service account details, click Show Advanced Settings.
  2. Enable Google Workspace Domain-Wide Delegation.

  3. Note the Client ID for authorization.

Step 4: Authorize API Scopes in Workspace Admin Console

  1. Open Google Admin Console.
  2. Navigate to Security → Access and data control → API controls.
  3. Under Domain-wide delegation, click Manage Domain-Wide DelegationAdd new.
  4. Enter your Client ID and authorize the following scopes:
    1. https://www.googleapis.com/auth/admin.directory.user
    2. https://www.googleapis.com/auth/admin.directory.group
    3. https://www.googleapis.com/auth/admin.directory.orgunit
    4. https://www.googleapis.com/auth/admin.directory.domain
    5. https://www.googleapis.com/auth/admin.directory.rolemanagement
    6. https://www.googleapis.com/auth/admin.reports.audit.readonly (Required only for the Reports stream)

Step 5: Configure the Integration in Unify

  1. In Unify, navigate to Integrations → Google Workspace.
  2. Paste the Service Account JSON file contents into the credentials field.
  3. Provide an Admin Email (e.g. admin@customerdomain.com) with Super Admin privileges.
  4. Enter the required scopes in the Scopes field in one of the following formats:
    1. JSON array string: ["scope1", "scope2"]
    2. Comma-separated: scope1,scope2
    3. Single scope: scope1

Please Note: If you leave this field blank, the connector will use the following default values:

 

Optional: You may extract client_email and private_key from the JSON and enter them manually if preferred.

Step 6: Verify Stream Configuration

  • Users Stream: Syncs identity and profile data.
  • Reports Stream: Ingests activity and login data.
  • Confirm desired applications (e.g., login, drive, admin) are selected in Unify's stream configuration panel.

Step 7: Test and Validate

  1. Trigger a manual sync from Unify.
  2. Confirm activity events appear under the Unify Activity Logs.
  3. Verify timestamps and user mappings match expected Workspace data.


Activity Types Emitted by Stream

Stream

Activity Type

Description

Reports

IDP_AUTH_SUCCESS

Successful user authentication.

Reports

IDP_AUTH_FAILURE

Failed authentication attempt.

Reports

LOGIN_UNUSUAL_BLOCKED

Suspicious or high-risk login blocked by Google.

Reports

IDP_MFA_ACTIVATED

User enrolled in two-step verification.

Reports

IDP_MFA_DEACTIVATED

User unenrolled from two-step verification.

Reports

CREDENTIAL_MODIFIED

Password or credentials changed.

Reports

CREDENTIALS_LEAKED

Account disabled due to credential compromise.

Reports

IDP_ACCOUNT_DEACTIVATED

Account manually or automatically disabled.

Reports

GOV_ATTACK

Government-backed attack warning received.

Reports

SERVICE_DOC_DOWNLOADED

Document downloaded from Google Drive.

Reports

SERVICE_DOC_ACCESS_DENIED

Document access denied or blocked.

Reports

SERVICE_DOC_VISIBILITY_RISKY

Document sharing visibility changed to risky state.

Reports

SERVICE_DOC_COPIED

Document copied within or outside domain.

Reports

EMAIL_FORWARD_EXDOMAIN

Email forwarding to external domain detected.

Reports

UNKNOWN

Unmapped event type encountered.

Users

IDENTITY_UPDATE

User identity or role metadata synchronized.