Searching the Google Workspace API using Cribl Search

Last edited: December 12, 2023

Google Workspace is a robust set of productivity applications with billions of users and millions of paying organizations. These include small mom-and-pop shops and the largest enterprises. Google provides the Google Reports API, “a RESTful API you can use to access information about the Google Workspace activities of your users.” This data is critical for establishing a solid security posture.

Meanwhile, Cribl Search is reshaping the data search paradigm, empowering users to uncover and analyze data directly from its source. Cribl Search allows you to search and analyze data without first routing that data to an analytics engine or SIEM. And for those who prefer to utilize their existing analytics solution, go for it! Cribl Search allows sending that data to Cribl Stream via the |send operator. You can use Search or Cribl Stream to optimize that data and then selectively send that data to 0 or more analytics solutions and even long-term storage in a low-cost object store for compliance, historical threat analysis, or full-fidelity backup.

Cribl Search supports searching multiple sources, including Amazon S3, Azure Blob Storage, Google Cloud Storage, and various APIs such as AWS, Okta, Zoom, and Tailscale. And now, Cribl Search supports searching the Google Reports API! Cribl Search provides activity information on all the applications exposed via the Google Reports API Activities resource, including Admin Console activity, Google Drive, Google Meet, User Accounts, Login data, and more. Read on to find out how.

Setting Up Access to the Google Reports API

To give access to Cribl Search to search your Google Reports API for activities, navigate to your Google Cloud Platform Administrative Console and do the following:

Create a Service Account.
- IAM->Service Accounts->Create Service Account->Give the minimum required information, and click “done.”
Create a Key
- Click service account->Keys->Add Key->New Key->JSON
- Save the key file for later use
Enable Domain-wide Delegation
- Click service account->Advanced Settings
  - Copy Client ID
  - Click: View Google Workspace Admin Console->Security->Access and Data Controls->API Controls->Manage Domain Wide Delegation->>Add New
    - ClientID: Paste your Service Account Client ID
    - OAuth Scopes
    - Click Save
    - For more information, see here.

Setting up Cribl Search

And now for the easy part. Head over to your Cribl Search Instance and perform the following steps. Note that if you do not have a Cribl.Cloud instance, you can get a free one here.

Navigate to Cribl Search
Create a Cribl Search Dataset provider (A dataset provider tells Cribl Search where to query and contains access credentials)
- Search->Data->Data Set Providers->Create Provider->Create
  - ID: Arbitrary name/id. Note this ID will be used when defining the dataset.
  - Dataset provider Type: “Google Workspace API”
  - Add Configuration
    - Account Name: Name of Google Account (without user or .com)
    - Impersonated Accounts Email Address: Email address of an admin user
    - Service Account Credentials: Paste the JSON key saved in the steps above

Navigate to Search->Data->Dataset Providers->Create Provider->Create

Give it an ID and select “Google Workspace API”. Take a look at all the other sources supported!

Create a dataset (A dataset tells Cribl Search what data to search from the dataset provider)
- Search->Data->Datasets->Add Dataset
- ID: Arbitrary name/id
- Provider: Provider Created in Step 2 above
- Endpoints: Select one or more endpoints. Note that if you have a large environment, you may consider creating multiple datasets to search instead of a single dataset. This will allow you to pull less data during each search and improve the performance of Cribl Search and the Google Reports API.

Enable one or more endpoints. For larger environments, consider creating multiple datasets to reduce the size of API requests.

That’s it, now on to the fun part.

Searching Google Workspace Activity Data

Once you have created your dataset, you can start searching your data.

Go to Search->Home
- You should now see your dataset listed under “Available Datasets.”
Hover over your dataset and click “Search Now.”
Adjust the timeframe of your search.
Cribl Search is based on the Kusto Query Language (KQL), which lets you delve into your data to discover patterns, identify anomalies and outliers, and create statistical models.[3]
Check out the following pages and start exploring your Google Workspace Data:
- https://docs.cribl.io/search/build-a-search
- https://docs.cribl.io/search/common-examples
- https://docs.cribl.io/search/operators (Check out the Functions pages immediately below this page as well)

Click “Search Now” to start searching your data.

Start searching your data! In this example (actual email search term redacted) – we set action equal to the first value of the events array. We then filter out the authorize action and create a chart that shows all other activities by that user. To examine raw events, omit the final |summarize operator.

I was curious about these “risky_sensitive_action_allowed” events. So, I created a search that provided a timeline of events. I first use the extend operator to pull out the required fields from nested JSON. I then sorted by timestamp with the sort operator and included only relevant data with the project operator. You can view raw events or fields in a table. I checked with security experts, and it turns out that these events occurred during reauth operations where no password challenge was provided. There are no issues here, and this is just a test account, but it is good to be able to investigate. And I didn’t send the data anywhere, and this was all done via Cribl Search!

Send Data to a 3rd Party

So far, so good! What if you want to route this data onto an analytics solution? The Cribl “send” operator lets you do just that.

Ensure the Cribl HTTP source on your cloud default worker group is enabled.
Create a search that returns the event data you want to send to the 3rd party solution.
Append “|send” to the end of the search.
Run the search.
- Data is sent to the default Cribl worker group.
- You can send data to any destination with a regular HTTPS Source URL by specifying the https url after the send operator.
Data will be sent to the Cribl default worker group via the Cribl HTTP source by default. You can then optimize this data as you would from any other data source.

Note the “|send” operator at the end of the query. This sends any returned events to the default worker group’s “Cribl HTTP” source.

Here is an example of a drive event that was sent to Cribl.

That’s it. In this post, we have walked through searching the Google Workspace API via Cribl Search, analyzing that data directly within Cribl Search, and finally, sending that data to Cribl Stream to be optimized and routed to any destination, just as any other source. Enjoy searching your Google Workspace activity. In an upcoming blog, we will discuss how to search the Google Cloud Platform API. We offer instant access to Cribl Search and Cribl Stream via Cribl.Cloud comes with a generous free plan, so try it today!

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

Previous articleNext article