Share via

How to Collect Only Google Workspace Login Logs Using the Connector (Cost Optimization)

mara7 226 Reputation points
2025-12-10T06:50:33.5966667+00:00

Hello Team,

We are trying to collect Google account login logs in Microsoft Sentinel using the Google Workspace Activities (via Codeless Connector Framework) (Preview) connector.

From what we have observed, this connector seems to collect all Google activity logs. However, we only need login logs, and we want to exclude other events to reduce costs.

Questions:

  1. Is there a way to filter and collect only login logs using this connector?
  2. Can we use a Data Collection Rule (DCR) to collect only login logs and reduce ingestion/storage costs?
    • If DCR is not supported, what alternative methods are available?
      • If DCR is supported, how can we connect and configure it with this connector?

Thank you.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
0 comments
Answer accepted by question author
  1. Siva shunmugam Nadessin 3,435 Reputation points Microsoft External Staff Moderator
    2025-12-10T08:15:41.4966667+00:00

    Hello mara7

    Thank you for reaching out to the Microsoft Q&A forum.

    Here's what you can consider:

    Filtering with Data Collection Rules (DCR):

    Currently, the Google Workspace Activities connector captures all activity logs, and there is no native filtering option in the connector to select only login logs. However, you can use Data Collection Rules (DCR) to help manage the ingestion of logs and potentially reduce costs.

    By creating a DCR, you can set parameters that target the specific data you want to collect. If supported, this would allow you to filter out non-login related logs and collect only what you truly need.

    Setting up the DCR:

    First, you'd want to navigate to your Azure Monitor in the Azure portal. From there, you’ll create a new DCR by following these steps:

    • Go to Data Collection Rules.
    • Select Add to create a new rule.
    • Specify the name, resource group, and subscription.
    • Under Add data source, choose the logs you want to collect (in this case, the Google Workspace logs).
    • Apply necessary filters to focus on login events.
    • Save your DCR and monitor your ingestion rates to ensure it meets your needs.
    1. Alternative Methods:
      • If DCR is not supported with the Google Workspace connector, consider leveraging Log Analytics queries after ingestion to separate out login logs for reporting and analysis, though it may not directly reduce costs.
      • Another potential workaround is to periodically audit and clear out unnecessary logs or set up Azure Policy alerts for data usage.

    Follow-Up Questions:

    To provide more tailored assistance, here are a few follow-up questions:

    • Have you already set up the Google Workspace connector, or is that still pending?
    • Are you currently using any specific data filtering techniques within your DCRs?
    • What specific types of login logs are you looking to collect (e.g., successful logins, failed logins)?
    • Do you have any log retention policies defined already that might impact your collection?

    Hope this helps you move forward! Feel free to drop more questions if needed!

    References:

     

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.