Integrate Google Workspace with Google SecOps
This document explains how to integrate Google Workspace with Google Security Operations (Google SecOps).
Integration version: 19.0
Use cases
Integrating Google Workspace with Google SecOps can help you solve the following use case:
- User offboarding and account security:use the Google SecOps capabilities to trigger a workflow for revoking the Google Workspace access, suspend accounts, and forward emails for offboarded users to another employee.
Before you begin
Before you configure the Google Workspace integration in Google SecOps, complete the following prerequisite steps:
- Create a service account .
- Create a JSON key .
- Create a custom role for the integration .
- Assign the custom role to a user .
- Delegate domain-wide authority to your service account .
- Enable the Admin SDK API for your project .
Create a service account
To create a service account, complete the following steps:
-
In the Google Cloud console, go to the Credentialspage.
-
From the Create credentialsmenu, select Service account.
-
Under Service account details, enter a name in the Service account namefield.
-
Optional: Edit the service account ID.
-
Click Create and continue. A Permissionsscreen appears.
-
Click Continue. A Principals with accessscreen appears.
-
Click Done.
Grant Google Cloud IAM roles to the Service Account
To ensure the Service Account has all necessary permissions in your Google Cloud project, assign the following IAM roles:
-
In the Google Cloud console, go to IAM & Admin > IAM.
-
Click Grant Access.
-
In the New principalsfield, enter the email address of the Service Account you created.
-
In the Select a rolelist, search for and select the following roles:
-
Service Account User(roles/iam.serviceAccountUser) -
Service Account Token Creator(roles/iam.serviceAccountTokenCreator)
-
-
Click Save.
Create a JSON key
To create a JSON key, complete the following steps:
- Select your service account and go to Keys.
- Click Add key.
- Select Create new key.
- For the key type, select JSONand click Create. A Private key saved to your computerdialog appears and a copy of the private key downloads to your computer.
Create a custom role for the integration
- In the Google Admin console, go to Account > Admin Roles.
- Click Create new role.
- Provide a name for the new custom role and click Continue.
- On the Select Privilegespage, go to the Admin APIprivileges section.
-
Under Admin API privileges, select the following privileges:
- Organization Units
- Users
- Groups
-
Click Continue.
-
To create a new custom role, click Create Role.
Assign the custom role to a user
- To create a new user, go to Directory > Userspage.
- Add a new user that is associated with the service account.
- Open settings for the newly created user. The user account tab opens.
- Click Admin roles and privileges.
- Click edit Edit.
- Select the custom role you created.
- For the selected role, switch the toggle to Assigned.
Delegate domain-wide authority to your service account
- From your domain's Google Admin console, go to Main menu > Security > Access and data control > API controls.
- In the Domain wide delegationpane, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client IDfield, enter the client ID obtained from the preceding service account creation steps.
-
In the OAuth Scopesfield, enter the following comma-delimited list of the scopes required for your application:
https://mail.google.com/, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.customer.readonly, https://www.googleapis.com/auth/admin.directory.domain.readonly, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.user.alias, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.user.security, -
Click Authorize.
Enable the Admin SDK API for your project
-
In the Google Cloud console, go to APIs & Services.
-
Click Enable APIs and Services.
-
Enable the Admin SDK APIfor your project.
Integration parameters
The Google Workspace integration requires the following parameters:
| Parameter | Description |
|---|---|
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to Google Workspace. Selected by default. |
User's Service Account JSON
|
Optional. The content of the service account key JSON file. You can configure this parameter or the To configure this parameter, provide the full content of the service account key JSON file that you downloaded when you created a service account. |
Delegated Email
|
Required. The email address for the integration to use. |
Workload Identity Email
|
Optional. The client email address of your service account. You can configure this parameter or the To impersonate service accounts with the Workload Identity Federation,
grant the |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Members To Group
Use the Add Members To Groupaction to add users to a group.
This action runs on the User
entity.
The Add Members To Groupaction solves the following use cases:
- Automated onboarding and offboarding.
- Incident response by granting temporary access.
- Dynamic project collaboration.
Action inputs
The Add Members To Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Address
|
Required. An email address of the group to add new members to. |
User Email Addresses
|
Optional. A comma-separated list of users to add to the group. The action executes values that you configure for this
parameter alongside the |
Action outputs
The Add Members To Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Add Members To Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Block Extension
Use the Block Extensionaction to block a specified Chrome extension in an organizational unit.
This action doesn't run on Google SecOps entities.
Action inputs
The Block Extensionaction requires the following parameters:
| Parameter | Description |
|---|---|
Organization Unit Name
|
Required. The name of the organizational unit in which to block the extension. |
Extension ID
|
Required. The ID of the extension to block. |
Action outputs
The Block Extensionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Block Extensionaction:
[
{
"targetKey"
:
{
"targetResource"
:
"orgunits/example-org-unit-id"
,
"additionalTargetKeys"
:
{
"app_id"
:
"chrome:exampleextensionid"
}
},
"value"
:
{
"policySchema"
:
"chrome.users.apps.InstallType"
,
"value"
:
{
"appInstallType"
:
"BLOCKED"
}
},
"sourceKey"
:
{
"targetResource"
:
"orgunits/example-org-unit-id"
},
"addedSourceKey"
:
{
"targetResource"
:
"orgunits/example-org-unit-id"
}
}
]
Output messages
The Block Extensionaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Block Extension". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Block Extensionaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Create Group
Use the Create Groupaction to create groups for your organization in the Google Admin console, Groups API, or Google Cloud Directory Sync as a Google Workspace Groups administrator.
If you use Groups for Business, you can also create groups for your organization in Google Groups .
This action runs on all Google SecOps entities.
You can use the Create Groupaction in the following use cases:
- Create incident response teams.
- Contain phishing campaigns.
- Onboard new users and user groups.
- Collaborate on projects.
- Configure access control for sensitive data.
Action inputs
The Create Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Email Address
|
Required. An email address of the new group. |
Name
|
Optional. A name of the new group. |
Description
|
Optional. A description of the new group. |
Action outputs
The Create Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Create Groupaction:
[
{
"kind"
:
"admin#directory#group"
,
"id"
:
" ID
"
,
"etag"
:
" TAG/var>"
,
"email"
:
"user@example.com"
,
"name"
:
"example"
,
"description"
:
""
,
"adminCreated"
:
"True"
}
]
Script result
The following table describes the values for the script result output when using the Create Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Create OU
Use the Create OUaction to create a new organizational unit (OU).
This action runs on all Google SecOps entities.
You can use the Create OUaction to solve the following use cases:
- Onboard new departments.
- Isolate compromised accounts.
- Implement geographic-based policies for data residency.
Action inputs
The Create OUaction requires the following parameters:
| Parameter | Description |
|---|---|
Customer ID
|
Required. A unique ID of the customer's Google Workspace account. To configure the account |
Name
|
Optional. A name of the new OU. |
Description
|
Optional. A description of the new OU. |
Parent OU Path
|
Required. A full path to the parent OU of a new OU. |
Action outputs
The Create OUaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Create OUaction:
[
{
"kind"
:
"admin#directory#orgUnit"
,
"etag"
:
" TAG
"
,
"name"
:
"example"
,
"orgUnitPath"
:
"/example_folder"
,
"orgUnitId"
:
"id: ID
"
,
"parentOrgUnitPath"
:
"/"
,
"parentOrgUnitId"
:
"id: ID
"
}
]
Script result
The following table describes the values for the script result output when using the Create OUaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Create User
Use the Create Useraction to create a new user.
When you add a user to your Google Workspace account, you provide them with an email address at your business domain and an account that they can use to access the Google Workspace services.
This action runs on all Google SecOps entities.
You can use the Create Useraction to solve the following use cases:
- Automate onboarding for the new users.
- Provide temporary access for contract employees.
- Use sandboxes for incident response.
Action inputs
The Create Useraction requires the following parameters:
| Parameter | Description |
|---|---|
Given Name
|
Required. The user's first name. |
Family Name
|
Required. The user's last name. |
Password
|
Required. The password of the new user. |
Email Address
|
Required. The primary email address of the user. |
Phone
|
Optional. The phone number of the user. |
Gender
|
Optional. The gender of the user. The valid values are
as follows: |
Department
|
Optional. The name of the user's department. |
Organization
|
Optional. The name of the user's organization. |
Change Password At Next Login
|
Optional. If selected, the system requires the user to change their password on the next login attempt. Not selected by default. |
Action outputs
The Create Useraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Create Useraction:
[
{
"kind"
:
"admin#directory#user"
,
"id"
:
" ID
"
,
"etag"
:
" TAG
"
,
"primaryEmail"
:
"example@example.com"
,
"name"
:{
"givenName"
:
" FIRST_NAME
"
,
"familyName"
:
" LAST_NAME
"
},
"isAdmin"
:
"False"
,
"isDelegatedAdmin"
:
"False"
,
"creationTime"
:
"2020-12-22T13:44:29.000Z"
,
"organizations"
:[
{
"name"
:
"ExampleOrganization"
}
],
"phones"
:[
{
"value"
:
"(800) 555‑0175"
}
],
"gender"
:{
"type"
:
"male"
},
"customerId"
:
" ID
"
,
"orgUnitPath"
:
"/"
,
"isMailboxSetup"
:
"False"
}
]
Script result
The following table describes the values for the script result output when using the Create Useraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Delete Extension
Use the Delete Extensionaction to delete a specified Chrome extension from an organizational unit.
This action doesn't run on Google SecOps entities.
Action inputs
The Delete Extensionaction requires the following parameters:
| Parameter | Description |
|---|---|
Organization Unit Name
|
Required. The name of the organizational unit from which to delete the extension. |
Extension ID
|
Required. The ID of the extension to delete. |
Action outputs
The Delete Extensionaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result outputs received when using the Delete Extensionaction:
[
{
"deleted_extensions"
:
[
"chrome:exampleextensionid"
]
}
]
Output messages
The Delete Extensionaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Delete Extension". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Delete Extensionaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Delete Group
Use the Delete Groupaction to delete a Google Workspace directory group.
This action doesn't run on Google SecOps entities.
You can use the Delete Groupaction to solve the following use cases:
- Automate the offboarding of users.
- Remediate security incidents.
- Perform cleanups for stale groups.
Action inputs
The Delete Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Address
|
Required. An email address of the group to delete. |
Action outputs
The Delete Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Delete Groupaction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to connect to the Google Workspace! Error is ERROR_DESCRIPTION
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Delete Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Delete OU
Use the Delete OUaction to delete an organizational unit.
You cannot delete an organization if it has users, devices, or child organizations. Before deleting an organization, move any users and devices to other organizations, and remove any child organizations.
This action runs on all Google SecOps entities.
You can use the Delete OUaction to solve the following use cases:
- Automate the offboarding of users.
- Remediate security incidents.
- Manage project resources and perform project cleanups.
Action inputs
The Delete OUaction requires the following parameters:
| Parameter | Description |
|---|---|
Customer ID
|
Required. A unique ID of the customer's Google Workspace account. To configure the account |
OU Path
|
Required. A full path to the organizational unit. If the organizational unit is located under a root (/) path, provide the organizational unit name without a path. |
Action outputs
The Delete OUaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Delete OUaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Delete User
Use the Delete Useraction to delete user accounts.
After you delete a user, they cannot access or use any Google Workspace services for your organization.
You can use the Delete Useraction to solve the following use cases:
- Offboard departing employees.
- Remediate compromised accounts.
- Automate the cleanup of temporary accounts.
This action runs on all Google SecOps entities.
Action inputs
The Delete Useraction requires the following parameters:
| Parameter | Description |
|---|---|
Email Address
|
Required. An email address of the user to delete. |
Action outputs
The Delete Useraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Delete Useraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich Entities
Use the Enrich Entitiesaction to enrich Google SecOps entities with information from Google Workspace.
This action runs on the User
entity.
You can use the Enrich Entitiesaction to solve the following use cases:
- Investigate users.
- Analyze phishing emails.
- Investigate data exfiltration attempts.
- Detect malware.
Action inputs
None.
Action outputs
The Enrich Entitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Script result | Available |
Entity enrichment
The Enrich Entitiesaction support the following entity enrichment:
| Enrichment field name | Enrichment logic |
|---|---|
Phones
|
Returns if it exists in a JSON result. |
isDelegatedAdmin
|
Returns if it exists in a JSON result. |
suspended
|
Returns if it exists in a JSON result. |
id
|
Returns if it exists in a JSON result. |
nonEditableAliases
|
Returns if it exists in a JSON result. |
archived
|
Returns if it exists in a JSON result. |
isEnrolledIn2Sv
|
Returns if it exists in a JSON result. |
includeInGlobalAddressList
|
Returns if it exists in a JSON result. |
Relations
|
Returns if it exists in a JSON result. |
isAdmin
|
Returns if it exists in a JSON result. |
etag
|
Returns if it exists in a JSON result. |
lastLoginTime
|
Returns if it exists in a JSON result. |
orgUnitPath
|
Returns if it exists in a JSON result. |
agreedToTerms
|
Returns if it exists in a JSON result. |
externalIds
|
Returns if it exists in a JSON result. |
ipWhitelisted
|
Returns if it exists in a JSON result. |
kind
|
Returns if it exists in a JSON result. |
isEnforcedIn2Sv
|
Returns if it exists in a JSON result. |
isMailboxSetup
|
Returns if it exists in a JSON result. |
emails
|
Returns if it exists in a JSON result. |
organizations
|
Returns if it exists in a JSON result. |
primaryEmail
|
Returns if it exists in a JSON result. |
name
|
Returns if it exists in a JSON result. |
gender
|
Returns if it exists in a JSON result. |
creationTime
|
Returns if it exists in a JSON result. |
changePasswordAtNextLogin
|
Returns if it exists in a JSON result. |
customerId
|
Returns if it exists in a JSON result. |
JSON result
The following example describes the JSON result output received when using the Enrich Entitiesaction:
[{
"Phones"
:
[{
"customType"
:
""
,
"type"
:
"custom"
,
"value"
:
"(800) 555‑0175"
}],
"isDelegatedAdmin"
:
false
,
"suspended"
:
false
,
"id"
:
" ID
"
,
"nonEditableAliases"
:
[
"user@example.com"
],
"archived"
:
false
,
"isEnrolledIn2Sv"
:
true
,
"includeInGlobalAddressList"
:
true
,
"Relations"
:
[{
"type"
:
"manager"
,
"value"
:
"user@example.com"
}],
"isAdmin"
:
false
,
"etag"
:
" E_TAG_VALUE
"
,
"lastLoginTime"
:
"2019-02-11T12:24:41.000Z"
,
"orgUnitPath"
:
"/OU-1"
,
"agreedToTerms"
:
true
,
"externalIds"
:
[{
"type"
:
"organization"
,
"value"
:
""
}],
"ipWhitelisted"
:
false
,
"kind"
:
"admin#directory#user"
,
"isEnforcedIn2Sv"
:
true
,
"isMailboxSetup"
:
true
,
"emails"
:
[{
"primary"
:
true
,
"address"
:
"user@example.com"
},
{
"address"
:
"user@example.com"
}],
"organizations"
:
[{
"department"
:
"R&D"
,
"customType"
:
""
,
"name"
:
"Company"
}],
"primaryEmail"
:
"user@example.com"
,
"name"
:
{
"fullName"
:
" NAME SURNAME
"
,
"givenName"
:
" NAME
"
,
"familyName"
:
" SURNAME
"
},
"gender"
:
{
"type"
:
"male"
},
"creationTime"
:
"2017-10-26T06:57:13.000Z"
,
"changePasswordAtNextLogin"
:
false
,
"customerId"
:
" CUSTOMER_ID
"
}]
Script result
The following table describes the values for the script result output when using the Enrich Entitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Extension Details
Use the Get Extension Detailsaction to retrieve information about a specified Chrome extension.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Extension Details action requires the following parameters:
| Parameter | Description |
|---|---|
Extension ID
|
Required. A comma-separated list of extension IDs to enrich. |
Max Requesting Users To Return
|
Required. The maximum number of users to return who requested the extension installation. The maximum value is |
Max Requesting Devices To Return
|
Required. The maximum number of devices to return where the extension installation was requested. The maximum value is |
Action outputs
The Get Extension Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Extension Detailsaction:
[
{
"Entity"
:
"Example Extension Name"
,
"EntityResult"
:
{
"name"
:
"customers/example-customer-id/apps/chrome/exampleextensionid"
,
"displayName"
:
"Example Extension Name"
,
"description"
:
"A description for an example extension."
,
"appId"
:
"exampleextensionid"
,
"revisionId"
:
"11.3.0.0"
,
"type"
:
"CHROME"
,
"iconUri"
:
"https://lh3.googleusercontent.com/KxYKwMcAzhn_DBMVIb0mtvIOsAME2d8-csv5d_vnKYX6PL3D6BGbVy3hH68ky8nM9yTDGAPl6B77pA7tpu4_jeUkXw"
,
"detailUri"
:
"https://chromewebstore.google.com/detail/exampleextensionid"
,
"firstPublishTime"
:
"2011-12-14T06:57:01.918Z"
,
"latestPublishTime"
:
"2025-07-01T02:05:04.252Z"
,
"publisher"
:
"example-publisher"
,
"reviewNumber"
:
"5423"
,
"reviewRating"
:
4
,
"chromeAppInfo"
:
{
"supportEnabled"
:
true
,
"minUserCount"
:
3000000
,
"permissions"
:
[
{
"type"
:
"offscreen"
},
{
"type"
:
"scripting"
,
"documentationUri"
:
"https://developer.chrome.com/docs/extensions/reference/scripting/"
,
"accessUserData"
:
false
},
{
"type"
:
"storage"
,
"documentationUri"
:
"https://developer.chrome.com/docs/extensions/reference/storage/"
,
"accessUserData"
:
false
},
{
"type"
:
"tabs"
,
"documentationUri"
:
"https://developer.chrome.com/docs/extensions/reference/tabs#type-Tab"
,
"accessUserData"
:
true
}
],
"siteAccess"
:
[
{
"hostMatch"
:
"https://*/*"
},
{
"hostMatch"
:
"http://*/*"
}
],
"isTheme"
:
false
,
"googleOwned"
:
true
,
"isCwsHosted"
:
true
,
"kioskEnabled"
:
false
,
"isKioskOnly"
:
false
,
"type"
:
"EXTENSION"
,
"isExtensionPolicySupported"
:
false
,
"manifestVersion"
:
"3"
,
"requestingUserDetails"
:
[
{
"email"
:
"user@example.com"
,
"justification"
:
"Example justification for the request."
}
],
"requestingDeviceDetails"
:
[
{
"device"
:
"example-device-id"
,
"justification"
:
"Example justification for the request."
}
]
}
}
}
]
Output messages
The Get Extension Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Extension Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Extension Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Group Details
Use the Get Group Detailsaction to retrieve information about a group in Google Workspace.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Group Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Addresses
|
Required. A comma-separated list of group emails to examine. |
Action outputs
The Get Group Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Get Group Detailsaction:
{
"Entity"
:
"group@example.com"
,
"EntityResult"
:
{
"kind"
:
"groupsSettings#groups"
,
"email"
:
"group@example.com"
,
"name"
:
" GROUP_NAME
"
,
"description"
:
" DESCRIPTION
"
,
"whoCanJoin"
:
"CAN_REQUEST_TO_JOIN"
,
"whoCanViewMembership"
:
"ALL_MEMBERS_CAN_VIEW"
,
"whoCanViewGroup"
:
"ALL_MEMBERS_CAN_VIEW"
,
"whoCanInvite"
:
"ALL_MANAGERS_CAN_INVITE"
,
"whoCanAdd"
:
"ALL_MANAGERS_CAN_ADD"
,
"allowExternalMembers"
:
"false"
,
"whoCanPostMessage"
:
"ANYONE_CAN_POST"
,
"allowWebPosting"
:
"true"
,
"primaryLanguage"
:
"en_US"
,
"maxMessageBytes"
:
26214400
,
"isArchived"
:
"false"
,
"archiveOnly"
:
"false"
,
"messageModerationLevel"
:
"MODERATE_NONE"
,
"spamModerationLevel"
:
"MODERATE"
,
"replyTo"
:
"REPLY_TO_IGNORE"
,
"includeCustomFooter"
:
"false"
,
"customFooterText"
:
""
,
"sendMessageDenyNotification"
:
"false"
,
"defaultMessageDenyNotificationText"
:
""
,
"showInGroupDirectory"
:
"true"
,
"allowGoogleCommunication"
:
"false"
,
"membersCanPostAsTheGroup"
:
"false"
,
"messageDisplayFont"
:
"DEFAULT_FONT"
,
"includeInGlobalAddressList"
:
"true"
,
"whoCanLeaveGroup"
:
"ALL_MEMBERS_CAN_LEAVE"
,
"whoCanContactOwner"
:
"ANYONE_CAN_CONTACT"
,
"whoCanAddReferences"
:
"NONE"
,
"whoCanAssignTopics"
:
"NONE"
,
"whoCanUnassignTopic"
:
"NONE"
,
"whoCanTakeTopics"
:
"NONE"
,
"whoCanMarkDuplicate"
:
"NONE"
,
"whoCanMarkNoResponseNeeded"
:
"NONE"
,
"whoCanMarkFavoriteReplyOnAnyTopic"
:
"NONE"
,
"whoCanMarkFavoriteReplyOnOwnTopic"
:
"NONE"
,
"whoCanUnmarkFavoriteReplyOnAnyTopic"
:
"NONE"
,
"whoCanEnterFreeFormTags"
:
"NONE"
,
"whoCanModifyTagsAndCategories"
:
"NONE"
,
"favoriteRepliesOnTop"
:
"true"
,
"whoCanApproveMembers"
:
"ALL_MANAGERS_CAN_APPROVE"
,
"whoCanBanUsers"
:
"OWNERS_AND_MANAGERS"
,
"whoCanModifyMembers"
:
"OWNERS_AND_MANAGERS"
,
"whoCanApproveMessages"
:
"OWNERS_AND_MANAGERS"
,
"whoCanDeleteAnyPost"
:
"OWNERS_AND_MANAGERS"
,
"whoCanDeleteTopics"
:
"OWNERS_AND_MANAGERS"
,
"whoCanLockTopics"
:
"OWNERS_AND_MANAGERS"
,
"whoCanMoveTopicsIn"
:
"OWNERS_AND_MANAGERS"
,
"whoCanMoveTopicsOut"
:
"OWNERS_AND_MANAGERS"
,
"whoCanPostAnnouncements"
:
"OWNERS_AND_MANAGERS"
,
"whoCanHideAbuse"
:
"NONE"
,
"whoCanMakeTopicsSticky"
:
"NONE"
,
"whoCanModerateMembers"
:
"OWNERS_AND_MANAGERS"
,
"whoCanModerateContent"
:
"OWNERS_AND_MANAGERS"
,
"whoCanAssistContent"
:
"NONE"
,
"customRolesEnabledForSettingsToBeMerged"
:
"false"
,
"enableCollaborativeInbox"
:
"false"
,
"whoCanDiscoverGroup"
:
"ALL_IN_DOMAIN_CAN_DISCOVER"
,
"defaultSender"
:
"DEFAULT_SELF"
}
}
Output messages
The Get Group Detailsaction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Group Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Get Group Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Host Browser Details
Use the Get Host Browser Detailsaction to retrieve information about
browsers associated with a specified Google SecOps Hostname
entity.
This action runs on the Google SecOps Hostname
entity.
Action inputs
None.
Action outputs
The Get Host Browser Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Host Browser Detailsaction:
{
"Entity"
:
"example.host.com"
,
"EntityResult"
:
[
{
"deviceId"
:
"example-device-id"
,
"kind"
:
"admin#directory#browserdevice"
,
"lastPolicyFetchTime"
:
"2025-07-25T12:11:17.546Z"
,
"osPlatform"
:
"Linux"
,
"osArchitecture"
:
"x86_64"
,
"osVersion"
:
"6.12.27-1rodete1-amd64"
,
"machineName"
:
"example.host.com"
,
"lastRegistrationTime"
:
"2025-07-07T07:45:20.504Z"
,
"extensionCount"
:
"15"
,
"policyCount"
:
"23"
,
"lastDeviceUser"
:
"example-user"
,
"lastActivityTime"
:
"2025-07-26T12:13:55.385Z"
,
"osPlatformVersion"
:
"Linux 6.12.27-1rodete1-amd64"
,
"browserVersions"
:
[
"140.0.7259.2 (Dev)"
],
"lastStatusReportTime"
:
"2025-07-26T07:46:00.919Z"
,
"lastDeviceUsers"
:
[
{
"userName"
:
"example-user"
,
"lastStatusReportTime"
:
"2025-07-26T07:46:00.919Z"
}
],
"machinePolicies"
:
[
{
"source"
:
"MACHINE_LEVEL_USER_CLOUD"
,
"name"
:
"CloudReportingEnabled"
,
"value"
:
"true"
}
],
"browsers"
:
[
{
"browserVersion"
:
"140.0.7259.2"
,
"channel"
:
"DEV"
,
"lastStatusReportTime"
:
"2025-07-26T07:46:00.919Z"
,
"executablePath"
:
"/opt/google/chrome-unstable"
,
"profiles"
:
[
{
"name"
:
"Example User Profile"
,
"id"
:
"/home/example_user/.config/google-chrome/Default"
,
"lastStatusReportTime"
:
"2025-07-26T07:46:00.919Z"
,
"lastPolicyFetchTime"
:
"2025-07-25T12:11:17.546Z"
,
"chromeSignedInUserEmail"
:
"user@example.com"
,
"extensions"
:
[
{
"extensionId"
:
"exampleextensionid"
,
"version"
:
"2.0.6"
,
"permissions"
:
[
"alarms"
,
"contextMenus"
,
"management"
,
"storage"
,
"https://accounts.google.com/*"
,
"https://appengine.google.com/*"
,
"https://example.com/*"
,
"https://example.org/*"
,
"https://example-api.com/*"
,
"https://docs.example.com/*"
,
"https://internal.example.net/*"
,
"https://partners.example.com/*"
,
"https://www.google.com/*"
],
],
"name"
:
"Example Extension"
,
"description"
:
"This is a description for an example extension."
,
"appType"
:
"EXTENSION"
,
"homepageUrl"
:
"https://chromewebstore.google.com/detail/exampleextensionid"
,
"installType"
:
"ADMIN"
,
"manifestVersion"
:
3
}
],
"userPolicies"
:
[
{
"source"
:
"USER_CLOUD"
,
"name"
:
"CloudProfileReportingEnabled"
,
"value"
:
"true"
}
]
}
],
"pendingInstallVersion"
:
"140.0.7312.0"
}
],
"virtualDeviceId"
:
"example-virtual-device-id"
,
"orgUnitPath"
:
"/"
,
"deviceIdentifiersHistory"
:
{
"records"
:
[
{
"identifiers"
:
{
"machineName"
:
"example.host.com"
},
"firstRecordTime"
:
"2025-06-03T08:06:33.895Z"
,
"lastActivityTime"
:
"2025-07-26T07:46:01.325Z"
}
]
}
}
]
}
Output messages
The Get Host Browser Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Host Browser Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Host Browser Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Group Members
Use the List Group Membersaction to list the members of a Google Workspace group.
This action runs on all Google SecOps entities.
You can use the List Group Membersaction to solve the following use cases:
- Automate user onboarding and offboarding.
- Perform a security audit.
- Respond to incidents.
- Support the dynamic resource access.
Action inputs
The List Group Membersaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Address
|
Required. An email address of the group. |
Include Derived Membership
|
Optional. If selected, the action lists indirect memberships of users in the group. Selected by default. |
Action outputs
The List Group Membersaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List Group Membersaction:
{
"status"
:
"ACTIVE"
,
"kind"
:
"admin#directory#member"
,
"email"
:
"user1@example.com"
,
"etag"
:
" E_TAG_VALUE
"
,
"role"
:
"MEMBER"
,
"type"
:
"USER"
,
"id"
:
" ID
"
},{
"status"
:
"ACTIVE"
,
"kind"
:
"admin#directory#member"
,
"email"
:
"user2@example.com"
,
"etag"
:
" E_TAG_VALUE
"
,
"role"
:
"MEMBER"
,
"type"
:
"USER"
,
"id"
:
" ID
"
}
Script result
The following table describes the values for the script result output when using the List Group Membersaction:
| Script result name | Value |
|---|---|
members
|
True
or False
|
List Group Privileges
Use the List Group Privilegesaction to list roles and privileges that are related to the Google Workspace group.
This action doesn't run on Google SecOps entities.
Action inputs
The List Group Privilegesaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Addresses
|
Optional. A comma-separated list of groups to examine. |
Check Roles
|
Optional. A comma-separated list of roles to check that are related to the group. |
Check Privileges
|
Optional. A comma-separated list of permissions that to check that are related to the group. This parameter requires you to select the Expand Privileges parameter. If you configured the Check Roles parameter, the action checks the privileges only for the roles that you listed. |
Expand Privileges
|
Optional. If selected, the action returns information about all unique privileges that are related to the group. |
Max Roles To Return
|
Required. The maximum number of roles that are related to the group to return. The default value is |
Max Privileges To Return
|
Required. The maximum number of privileges that are related to the group to return. The default value is |
Action outputs
The List Group Privilegesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List Group Privilegesaction:
{
"Entity"
:
"user@example.com"
,
"EntityResult"
:
{
"roles"
:
[
"Role1"
,
"_GROUPS_EDITOR_ROLE"
,
"example-role"
],
"unique_privileges"
:
[
"VIEW_SITE_DETAILS"
,
"ACCESS_EMAIL_LOG_SEARCH"
,
"ACCESS_ADMIN_QUARANTINE"
,
"ACCESS_RESTRICTED_QUARANTINE"
,
"ADMIN_QUALITY_DASHBOARD_ACCESS"
,
"MANAGE_DLP_RULE"
,
"DASHBOARD_ACCESS"
,
"MANAGE_GSC_RULE"
,
"VIEW_GSC_RULE"
,
"SECURITY_HEALTH_DASHBOARD_ACCESS"
,
"SIT_CALENDAR_VIEW_METADATA"
,
"SIT_CHAT_VIEW_METADATA"
,
"SIT_CHROME_VIEW_METADATA"
,
"SIT_DEVICE_UPDATE_DELETE"
,
"SIT_DEVICE_VIEW_METADATA"
,
"SIT_DRIVE_UPDATE_DELETE"
]
}
}
Output messages
The List Group Privilegesaction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List Group Privileges". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the List Group Privilegesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List OU of Account
Use the List OU of Accountaction to list organizational units of an account.
This action runs on all Google SecOps entities.
You can use the List OU of Accountaction to solve the following use cases:
- Automate user offboarding.
- Perform a targeted security auditing.
- Automate a group membership management.
- Streamline user provisioning.
- Automate compliance reporting and auditing.
Integration inputs
The List OU of Accountaction requires the following parameters:
| Parameter | Description |
|---|---|
Customer ID
|
Required. A unique ID of the customer Google Workspace account. To represent the |
Action outputs
The List OU of Accountaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List OU of Accountaction:
[{
"kind"
:
"admin#directory#orgUnit"
,
"parentOrgUnitPath"
:
"/"
,
"name"
:
"OU-1"
,
"etag"
:
" E_TAG_VALUE
"
,
"orgUnitPath"
:
"/OU-1"
,
"parentOrgUnitId"
:
"id:1455"
,
"blockInheritance"
:
false
,
"orgUnitId"
:
"id:123"
,
"description"
:
""
}]
Script result
The following table describes the values for the script result output when using the List OU of Accountaction:
| Script result name | Value |
|---|---|
organizational_units
|
True
or False
|
List User Privileges
Use the List User Privilegesaction to list roles and privileges that are related to the user in Google Workspace.
This action runs on the Google SecOps User
entity.
Action inputs
The List User Privilegesaction requires the following parameters:
| Parameter | Description |
|---|---|
User Email Addresses
|
Optional. A comma-separated list of users to examine. The
action executes values that you configure for this parameter alongside the |
Check Roles
|
Optional. A comma-separated list of roles to check that are related to the user. |
Check Privileges
|
Optional. A comma-separated list of permissions to verify that are related to the user. This parameter requires you to select the Expand Privileges parameter. If you configured the Check Roles parameter, the action checks the privileges only for the roles that you listed. |
Include Inherited Roles
|
Optional. If selected, the action additionally returns user roles that are inherited from groups. |
Expand Privileges
|
Optional. If selected, the action returns information about all unique privileges that are related to the user. |
Max Roles To Return
|
Required. The maximum number of roles that are related to the user to return. The default value is |
Max Privileges To Return
|
Required. The maximum number of privileges that are related to the user to return. The default value is |
Action outputs
The List User Privilegesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the List User Privilegesaction:
{
"Entity"
:
"user@example.com"
,
"EntityResult"
:
{
"roles"
:
[
"Role1"
,
"_GROUPS_EDITOR_ROLE"
,
"example-role"
],
"unique_privileges"
:
[
"VIEW_SITE_DETAILS"
,
"ACCESS_EMAIL_LOG_SEARCH"
,
"ACCESS_ADMIN_QUARANTINE"
,
"ACCESS_RESTRICTED_QUARANTINE"
,
"ADMIN_QUALITY_DASHBOARD_ACCESS"
,
"MANAGE_DLP_RULE"
,
"DASHBOARD_ACCESS"
,
"MANAGE_GSC_RULE"
,
"VIEW_GSC_RULE"
,
"SECURITY_HEALTH_DASHBOARD_ACCESS"
,
"SIT_CALENDAR_VIEW_METADATA"
,
"SIT_CHAT_VIEW_METADATA"
,
"SIT_CHROME_VIEW_METADATA"
,
"SIT_DEVICE_UPDATE_DELETE"
,
"SIT_DEVICE_VIEW_METADATA"
,
"SIT_DRIVE_UPDATE_DELETE"
]
}
}
Output messages
The List User Privilegesaction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "List User Privileges". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the List User Privilegesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
List Users
Use the List Usersaction to list users present in an account.
This action doesn't run on Google SecOps entities.
You can use the List Usersaction to solve the following use cases:
- Identify potentially compromised accounts.
- Automate offboarding processes.
- Audit and manage user access privileges
- Investigate suspicious activities.
- Manage user licenses and resources.
Action inputs
The List Usersaction requires the following parameters:
| Parameter | Description |
|---|---|
Customer ID
|
Optional. A unique ID of the customer Google Workspace account. If you don't provide this parameter value, the action
automatically uses the |
Domain
|
Optional. A domain to search for users. |
Manager Email
|
Optional. An email address of a user's manager. |
Return Only Admin Accounts?
|
Optional. If selected, the action returns only administrator accounts. Not selected by default. |
Return Only Delegated Admin Accounts?
|
Optional. If selected, the action returns only delegated administrator accounts. Not selected by default. |
Return Only Suspended Users?
|
Optional. If selected, the action returns only suspended accounts. Not selected by default. |
Org Unit Path
|
Optional. A full path of an organization unit from which to retrieve the users. The path matches all organization unit chains listed under the target unit. |
Department
|
Optional. A department within the organization from which to retrieve the users. |
Record Limit
|
Optional. The maximum number of data records for the action to return. The default value is |
Custom Query Parameter
|
Optional. A custom query parameter to add to the list users
search call, such as You can configure this parameter with the |
Return only users without 2fa?
|
Optional. If selected, the action only returns users who don't have the two-factor authentication (2FA) enabled. Not selected by default. |
Email Addresses
|
Optional. A comma-separated list of email addresses to search. If you configure this parameter, don't configure the If you configure this parameter, the action ignores the |
Action outputs
The List Usersaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List Usersaction provides the following table on a Case Wall:
Table name: Google G Suite Users
Table columns:
- ID
- Given Name
- Family Name
- Is Admin?
- Is Delegated Admin?
- Creation Time
- Last Login Time
- Suspended?
- Archived?
- Change Password At Next Login?
- Customer ID
- Org Unit Path
- Is Mailbox set?
- Recovery Email
JSON result
The following example describes the JSON result output received when using the List Usersaction:
{
"kind"
:
"admin#directory#users"
,
"etag"
:
" E_TAG_VALUE
"
,
"users"
:
[
{
"kind"
:
"admin#directory#user"
,
"id"
:
" ID
"
,
"etag"
:
" E_TAG_VALUE
"
,
"primaryEmail"
:
"user@example.com"
,
"name"
:
{
"givenName"
:
" NAME
"
,
"familyName"
:
" SURNAME
"
,
"fullName"
:
" NAME SURNAME
"
},
"isAdmin"
:
true
,
"isDelegatedAdmin"
:
false
,
"lastLoginTime"
:
"2020-12-22T06:40:34.000Z"
,
"creationTime"
:
"2020-07-22T09:23:28.000Z"
,
"agreedToTerms"
:
true
,
"suspended"
:
false
,
"archived"
:
false
,
"changePasswordAtNextLogin"
:
false
,
"ipWhitelisted"
:
false
,
"emails"
:
[
{
"address"
:
"user@example.com"
,
"primary"
:
true
},
{
"address"
:
"user@example.com"
}
],
"nonEditableAliases"
:
[
"user@example.com"
],
"customerId"
:
" CUSTOMER_ID
"
,
"orgUnitPath"
:
"/Management"
,
"isMailboxSetup"
:
true
,
"isEnrolledIn2Sv"
:
false
,
"isEnforcedIn2Sv"
:
false
,
"includeInGlobalAddressList"
:
true
,
"recoveryEmail"
:
"email@example.com"
}
]
}
Output messages
The List Usersaction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to connect to the Google Workspace! Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the List Usersaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test connectivity to Google Workspace.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Remove Members From Group
Use the Remove Members From Groupaction to remove members from a Google Workspace group.
This action runs on the Google SecOps User
entity.
You can use the List Usersaction to solve the following use cases:
- Automate user offboarding.
- Execute dynamic group management.
- Remediate access control issues.
Action inputs
The Remove Members From Groupaction requires the following parameters:
| Parameter | Description |
|---|---|
Group Email Address
|
Required. An email of the group from which to remove the members. |
User Email Addresses
|
Optional. A comma-separated list of users to remove from the group. The action executes values that you configure for this
parameter alongside the |
Action outputs
The Remove Members From Groupaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Remove Members From Groupaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Revoke User Sessions
Use the Revoke User Sessionsaction to revoke the user web and device sessions and reset their sign-in cookies in Google Workspace.
This action runs on the Google SecOps User
entity.
Action inputs
The Revoke User Sessionsaction requires the following parameters:
| Parameter | Description |
|---|---|
User Email Addresses
|
Optional. A comma-separated list of users to sign out. The
action runs the values from this parameter with Google SecOps |
Action outputs
The Revoke User Sessionsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Revoke User Sessionsaction:
[
{
"Entity"
:
" ENTITY_ID
"
,
"EntityResult"
:
{
"Status"
:
"done"
}
}
]
Output messages
The Revoke User Sessionsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Revoke User Sessions". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Revoke User Sessionsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Search User Activity Events
Use the Search User Activity Eventsaction to retrieve activity events from
an application for a specified Google SecOps User
entity.
This action runs on the Google SecOps User
entity.
Action inputs
The Search User Activity Eventsaction requires the following parameters:
User Email Addresses
Optional.
A comma-separated list of additional user email addresses to process.
The action processes all users in this list in addition to a User
entity (if one is provided).
Application Names
Required.
A list of applications to query for activity events.
For a full list of supported applications, see the ApplicationName documentation .
Event Type Filter
Optional.
A comma-separated list of event types to retrieve.
Time Frame
Optional.
The timeframe for the activity search.
The possible values are as follows:
-
Last Hour -
Last 6 Hours -
Last 24 Hours -
Last Week -
Last Month -
Custom
If Custom
is selected, the Start Time
parameter is
required.
The default value is Last Hour
.
Start Time
Optional.
The start of the time range for the activity search.
This parameter is required if Custom
is selected for the Time Frame
parameter.
Configure the value in ISO 8601 format.
End Time
Optional.
The end of the time range for the activity search.
This parameter is optional when Custom
is selected for the Time Frame
parameter and defaults to the current time if not
provided.
Configure the value in ISO 8601 format.
Max Events To Return
Required.
The maximum number of events to return per user.
The action processes a maximum of 1000
events per user, per
application.
The default value is 200
.
The maximum value is 1000
.
Action outputs
The Search User Activity Eventsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search User Activity Eventsaction:
{
"Entity"
:
"user@example.com"
,
"EntityResult"
:
[
{
"applicationName"
:
"login"
,
"type"
:
"login"
,
"name"
:
"login_success"
,
"parameters"
:
[
{
"name"
:
"login_type"
,
"value"
:
"google_password"
},
{
"name"
:
"login_challenge_method"
,
"multiValue"
:
[
"password"
]
},
{
"name"
:
"is_suspicious"
,
"boolValue"
:
false
}
]
},
{
"applicationName"
:
"token"
,
"type"
:
"auth"
,
"name"
:
"authorize"
,
"parameters"
:
[
{
"name"
:
"client_id"
,
"value"
:
"example-client-id.apps.googleusercontent.com"
},
{
"name"
:
"app_name"
,
"value"
:
"Google Chrome"
},
{
"name"
:
"client_type"
,
"value"
:
"NATIVE_DESKTOP"
},
{
"name"
:
"scope_data"
,
"multiMessageValue"
:
[
{
"parameter"
:
[
{
"name"
:
"scope_name"
,
"value"
:
"https://www.google.com/accounts/OAuthLogin"
},
{
"name"
:
"product_bucket"
,
"multiValue"
:
[
"IDENTITY"
]
}
]
}
]
},
{
"name"
:
"scope"
,
"multiValue"
:
[
"https://www.google.com/accounts/OAuthLogin"
]
}
]
}
]
}
Output messages
The Search User Activity Eventsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Search User Activity Events". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search User Activity Eventsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update OU
Use the Update OUaction to update an organizational unit (OU).
This action runs on all Google SecOps entities.
You can use the Update OUaction to solve the following use cases:
- Manage security groups.
- Automate onboarding and offboarding of users.
- Implement data separation policies.
Action inputs
The Update OUaction requires the following parameters:
| Parameter | Description |
|---|---|
Customer ID
|
Required. A unique ID of the customer Google Workspace account. To represent the |
Name
|
Optional. A name of the OU. |
Description
|
Optional. A description of the OU. |
OU Path
|
Required. A full path to the OU. If the
OU is located under the root path, |
Action outputs
The Update OUaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table describes the values for the script result output when using the Update OUaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update User
Use the Update Useraction to update a Google Workspace directory user.
This action doesn't run on Google SecOps entities.
You can use the Update Useraction to solve the following use cases:
- Disable a compromised account.
- Enforce a password reset after detecting suspicious activity.
- Update department information after completing an employee transfer.
- Suspend inactive accounts.
Action inputs
The Update Useraction requires the following parameters:
Email Address
Required.
A comma-separated list of primary email addresses that are used to identify what users to update.
Given Name
Optional.
The user's first name.
Family Name
Optional.
The user's last name.
Password
Optional.
The password of the new user.
Phone
Optional.
The phone number of the user.
The action
updates the custom
phone number type.
Gender
Optional.
The gender of the user.
The valid values are
as follows: female
, male
, other
, unknown
.
Department
Optional.
The name of the user's department.
Organization
Optional.
The name of the user's organization.
Change Password At Next Login
Optional.
If selected, the system requires the user to change their password on the next login attempt.
Not selected by default.
User Status
Optional.
The user status to update.
By default, the action doesn't change the user status.
The possible values are as follows:-
Not Changed -
Blocked -
Unblocked
Action outputs
The Update Useraction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Useraction provides the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Update User". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Update Useraction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
