Context Aware Access Activity
Collects Context Aware Access activity logs from Google Workspace for auditing context-aware access denied events.
Sync Type: Incremental
Requirements
Before configuring this input, you need to set up a Google Cloud service account and grant it the necessary permissions in your Google Workspace environment. Follow these steps:
-
Create a Google Cloud Project:
- Go to the Google Cloud Console.
- Create a new project or select an existing one.
-
Enable the Admin SDK API:
- In your project, go to "APIs & Services" > "Library".
- Search for "Admin SDK API" and enable it.
-
Create a Service Account:
- Go to "IAM & Admin" > "Service Accounts".
- Click "Create Service Account".
- Give it a name and description.
- For role, you don't need to grant any roles in Google Cloud.
- Click "Create and Continue", then "Done".
-
Generate a Key for the Service Account:
- In the service account list, click on your new service account.
- Go to the "Keys" tab.
- Click "Add Key" > "Create new key".
- Choose JSON as the key type and click "Create".
- Save the downloaded JSON file securely.
-
Set up Domain-Wide Delegation:
- Go to your Google Workspace Admin Console.
- Navigate to Security -> Access and Data Control -> API Controls
- In the "Domain-wide Delegation" section, click "Add new".
- For "Client ID", enter the service account's Client ID (found in the JSON key file).
- For scopes, enter:
https://www.googleapis.com/auth/admin.reports.audit.readonly - Click "Authorize".
-
Create and Configure an Admin Account:
- In the Google Workspace Admin Console, go to Users.
- Click on "Add new user" to create a new account, or select an existing user.
- Fill in the required information for the new user.
- After creating the user, click on the user's name to access their details.
- In the user details page, find the "Admin roles and privileges" section.
- Click on "Assign roles".
- Navigate to "Admin roles" under the Account section.
- Click "Create new role".
- Name the role (e.g., "Device Activity Report Reader").
- Under privileges, expand the "Reports" section.
- Check the box for "Read" under "Admin Audit Reports".
- Save the new role.
- Return to the user's details and assign this new custom role.
Configuration
The Google Workspace Context Aware Access Activity Input is configured using the following settings:
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| string | Yes | The email address of the Google Workspace admin to impersonate for API calls. | |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| CredentialsJSON | string | Yes | Base64-encoded JSON credentials of the Google Cloud service account used for authentication. |
Remember to keep your service account key confidential and never commit it to version control systems.
Functionality
This input component performs the following actions:
- Authenticates with Google Workspace using a service account and admin impersonation.
- Periodically fetches context aware access activity logs.
- Processes and publishes activity data to the pipeline for further handling.
Best Practices
- Service Account: Use a dedicated service account for this input.
- Least Privilege: Grant only the necessary permissions to the service account.
- Admin Impersonation: Use a dedicated admin account for impersonation, preferably one with limited permissions.
- Credential Security: Keep the service account JSON key secure and never commit it to version control.
- Regular Audits: Periodically review the service account's access and the impersonated admin's permissions.
Limitations
- The input fetches a maximum of 1000 results per API call.
- Historical data availability depends on Google Workspace's retention policies.
- API quotas and limits apply as per Google Workspace Admin SDK guidelines.
Troubleshooting
- For authentication errors, verify the service account credentials and Domain-Wide Delegation setup.
- If encountering "permission denied" errors, check the impersonated admin's privileges.
- No data being fetched could indicate a lack of context aware access activities or logging issues in your Google Workspace.
Custom Schema Handling
If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:
{
metadata: {
schema_version: "1.0.0",
custom_framework: "my_framework"
},
controls: .[]
}
For more information on JQ and how to write your own JQ transformations see the JQ docs here.
If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.
Sample Record
{
"kind": "admin#reports#activity",
"id": {
"time": "2025-09-12T16:31:11.083299Z",
"uniqueQualifier": "1543e25f-4293-7da4-e2b0-69a4edc7e56c",
"applicationName": "context_aware_access",
"customerId": "C0q2w3e4r"
},
"etag": "\"etag_example\"",
"actor": {
"callerType": "USER",
"email": "jane.johnson@sample.org",
"profileId": "ca4a2a87-b782-2292-40fa-95df20e0550c",
"key": "sample_key"
},
"ipAddress": "195.96.207.164",
"events": [
{
"type": "access",
"name": "ACCESS_DENY_EVENT",
"parameters": [
{
"name": "CAA_DEVICE_ID",
"value": "a0206c9d-22c1-5afb-6cab-6cda06c216d4"
},
{
"name": "CAA_DEVICE_STATE",
"value": "ACTIVE"
},
{
"name": "CAA_APPLICATION",
"value": "APPLICATION_NAME"
},
{
"name": "BLOCKED_API_ACCESS",
"value": "APPLICATION_NAME"
},
{
"name": "CAA_ACCESS_LEVEL_APPLIED",
"value": "ACCESS_LEVEL"
},
{
"name": "CAA_ACCESS_LEVEL_SATISFIED",
"value": "ACCESS_LEVEL"
},
{
"name": "CAA_ACCESS_LEVEL_UNSATISFIED",
"value": "ACCESS_LEVEL"
}
]
}
]
}