Skip to main content
Question

Why do we need WORKSPACE_PRIVILEGES if we already have WORKSPACE_ACTIVITY, WORKSPACE_USERS, WORKSPACE_GROUPS, and WORKSPACE_ALERTS?

  • June 9, 2026
  • 1 reply
  • 35 views

havox
Forum|alt.badge.img+5

Hi Google Community,

We have already enabled these Google Workspace logs:

  • WORKSPACE_ACTIVITY
  • WORKSPACE_USERS
  • WORKSPACE_GROUPS
  • WORKSPACE_ALERTS

We want to understand clearly what WORKSPACE_PRIVILEGES will do differently compared to the above log sources.

Main Questions:

  1. What extra things does WORKSPACE_PRIVILEGES handle that the other parsers (especially WORKSPACE_ACTIVITY) do not cover well?
  2. Can you explain the benefits of enabling WORKSPACE_PRIVILEGES?
  3. Please give some examples of logs/events:
    • How they look in WORKSPACE_ACTIVITY (or others)
    • How they look better / different in WORKSPACE_PRIVILEGES

We want to confirm the real value before enabling it for the client.

1 reply

cmorris
Staff
Forum|alt.badge.img+14
  • Staff
  • June 9, 2026

It looks like these are entity logs, rather than event logs. So instead of focusing on activity, they will show the privileges assigned to a user when they are pulled in daily. This information will be used to enrich the user for further use in SecOps (ex. a rule that used information about a user’s privileges).

https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/workspace-activity#supported-log-formats:~:text=WORKSPACE_PRIVILEGES%20sample%20logs

This differs from WORKSPACE_ACTIVITY that shows events, so ACTIVITY could have an event where a user’s permissions were changed, for example, whereas PRIVILEGES would show current roles at the time of the pull.