Skip to main content
Question

Clarification on Ingesting Google Vault Logs into Google SecOps SIEM

  • November 17, 2025
  • 7 replies
  • 55 views
manoj610
Forum|alt.badge.img+4

Hello Team,

We are currently ingesting the following Google Workspace logs into Google SecOps:

  • WORKSPACE_ACTIVITY

  • WORKSPACE_ALERTS

  • WORKSPACE_CHROMEOS

  • WORKSPACE_GROUPS

  • WORKSPACE_MOBILE

  • WORKSPACE_USERS

I would like to check whether Google Vault logs are also included as part of the Workspace log ingestion, or if any additional configuration is required to ingest Vault-related audit logs.

Could you please confirm if Vault logs are supported automatically or if we need to enable any specific settings or APIs to receive them?

Thank You

7 replies

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • November 19, 2025

Hi ​@manoj610 .  In the following documentation I can see Password Vault listed as one of the supported log types under WORKSPACE_ACTIVITY, so I believe in short the logs are supported.  There might be some additional logistics involved in making sure that the Vault logs are actually getting generated and flowing, but on surface level I want to say that they are one of the supported log types under the WORKSPACE_ACTIVITY log type.

 

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/workspace-activity

 

Showing the Content Hub item for Google Workspace, specifically the Data Collection section

 

--Vasken

 

d_patel_dj
Forum|alt.badge.img+3
  • d_patel_djBronze 1
  • Bronze 1
  • December 8, 2025

Hi, 

 

I am also looking to ingest vault logs into secops. I have workspace logs coming into secops but can’t seem to see any vault logs coming in. I can see the events in Google Admin so can confirm events are being created. 

 

Is there anything specific that needs to be setup to enable these events to come in? 

 

Thanks 

cmmartin_google
Staff
Forum|alt.badge.img+11

There is a documentation page covering what is covered by native integration and not.  Vault is listed as being covered by the native integration -   https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs

 

It used to be you had to create a manual feed and specify the application (via the api name, which is vault from memory)

d_patel_dj
Forum|alt.badge.img+3
  • d_patel_djBronze 1
  • Bronze 1
  • December 8, 2025

Thanks for the reply! 

 

This might be a silly questions - but I can’t see Google Vault under the supported application name and event types for WORKSPACE_ACTIVITY? Did you mean password vault by chance? 

cmmartin_google
Staff
Forum|alt.badge.img+11

I may have got the two mixed up, apologies.  In which case yes, I do not see vault in there, and so you would need to use the legacy Feed Management, and set the application as vault.

Additionally, a support request to raise as a FR so Google can consider adding that to the native list of sources they ingest.

d_patel_dj
Forum|alt.badge.img+3
  • d_patel_djBronze 1
  • Bronze 1
  • December 8, 2025

Ah ok no worries - is there any documentations or steps to get the Vault logs via the legacy feed management way? Not sure I have done it before. 

 

Thanks 

okkes
Staff
Forum|alt.badge.img+1
  • okkes
  • Staff
  • December 8, 2025

@d_patel_dj , You can find the legacy feed method here, under Method 2:

https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs

 

Vault can be added to the applications:

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.