Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Google Workspace

cbarrios
New Member
‎01-26-2024 06:57 AM

Hello Every Body.

 

I'm starting this question be couse i'm traying to genrate detections for goole workspace invader as that post about 365.

 https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access...

But i can not find google work space  login logs in actual ingest. We installed  the ad-don and newest apps abalaible in the splunkbase and could not find it.

surfin into the splunk web we could't fund an euivalent searchs as the link attached. 

 

Some bady had the same problem?  how can I solved it? 

Labels (1)
Labels
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:14 AM

Hi there,

The key is finding those Workspace login logs. While the add-on and apps might be installed, there could be a filtering or indexing issue.

Here's a quick rundown:

  1. Check the filter: Did you configure any filters that might exclude login events? Double-check your inputs.conf settings specifically.

  2. Look for indexing errors: Splunk logs might reveal indexing errors related to Workspace data. Check splunkd.log and python.log for clues.

  3. Search smarter: The provided search might not translate perfectly to Workspace. Try broader terms like "google login" or "workspace access" and adjust from there.

If you're still stuck, I recommend searching Splunkbase forums or reaching out to Splunk or Google Workspace support directly. They've seen it all and can offer specific guidance.

Remember, hunting invaders is like being a detective – persistence and resourcefulness are key!

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...