Supported editions for this feature: Enterprise Standard and Enterprise Plus. Compare your edition
You can export your Google Workspace audit logs to Google Chronicle, a cloud-native security analytics platform that helps your organization detect, investigate, and respond to security threats. To export logs to Chronicle, you need to use the Google Admin console to connect Google Workspace to Chronicle.
Once you connect to Chronicle, your audit logs are continuously exported to Chronicle, where you can manage insider risk. To manage risk, you use rules that generate detections and alerts, which help you identify risky user behaviors and anomalies related to data access and exfiltration. Learn more about Chronicle.
After you export logs
After your data is exported to Chronicle, you can sign in to your Chronicle account to:
- Search for any element in your logs data, such as usernames, IP addresses, and sign-in events.
- View all the alerts and Indicators of Compromise (IOCs) currently impacting your organization.
- Analyze any of the alerts.
Before you begin
- Make sure you have a Google Chronicle account. If you need an account, contact a Google Cloud sales specialist.
- You need super administrator privileges to connect Google Workspace to Chronicle.
Connect to Chronicle to export logs
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingData integrations.
- Point to the Chronicle export card and click Edit .
- On the Connect to Chronicle page, follow the on-screen instructions to:
- Go to your organization's Profile page in the Admin console, and copy your Customer ID.
- Go to Chronicle, and then go to Settings > Google Workspace . Enter your Google Workspace customer ID and click Generate Token.
- On the Google Workspace page, copy your Token and Chronicle instance ID. (Note that your Chronicle instance ID is the same as your Chronicle customer ID.)
- Return to the Connect to Chronicle page in the Admin console, and enter the Token and your Chronicle instance ID.
- Click Connect.
Once a connection to Chronicle is established, it can take up to 24 hours before logs are exported to Chronicle. After that, your organization's audit logs are continuously exported to Chronicle.
If a message appears that says a connection couldn't be established: First check if the Chronicle token and instance ID are correct. If they are, try connecting to Chronicle again after a few minutes. If you still can't connect, contact Google Workspace support.
Disconnect from Chronicle
If you no longer want to export audit logs to Chronicle, you can disconnect your organization's Google Workspace account from Chronicle.
Note: If you disconnect Google Workspace from Chronicle, your audit logs are not automatically deleted from Chronicle. To delete logs, you can use Chronicle.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingData integrations.
- In the Chronicle export card, click Disconnect from Chronicle.
FAQ
The following is the key log data that's supported:
- Admins
- Chrome
- Classroom
- Cloud Search
- Data export (admin)
- Data Studio
- Devices
- Gmail
- Google Calendar
- Google Chat
- Google Drive
- Google Groups
- Google Groups for Business
- Google Keep
- Google Meet
- Google Takeout
- Google Voice
- Jamboard management
- Login
- OAuth
- Rules
- SAML
- Users