Describe the bug
When ingesting Google Workspace Token audit events (application=token), the connector appears to flatten the nested scope_data structure and retains only the final product_bucket value pair.
As a result, OAuth authorization events that contain multiple scopes and associated product buckets lose information during ingestion.
For example, a Google Workspace OAuth authorization event may contain:
GMAIL
DRIVE
APPS_SCRIPT_RUNTIME
IDENTITY
OTHER
However, the ingested Sentinel event only contains:
"product_bucket": ["IDENTITY","OTHER"]
which corresponds to the final scope entry (userinfo.email).
This causes loss of context during security investigations because the relationship between OAuth scopes and Google products is no longer preserved.
To Reproduce
Steps to reproduce the behavior:
- Deploy the Google Workspace CCP connector.
- Enable ingestion of Token audit events (applications/token).
- Authorize a third-party application that requests multiple scopes such as:
- gmail.send
- drive.file
- documents
- script.external_request
- userinfo.email
- Review the event in Google Workspace Admin Audit Logs.
5.Review the corresponding event in GoogleWorkspaceReports.
Expected behavior
The connector should preserve all product bucket information returned by the Google Reports API.
Example source data:
{
"scope_name": "https://www.googleapis.com/auth/gmail.send",
"product_bucket": ["GMAIL"]
}
{
"scope_name": "https://www.googleapis.com/auth/script.external_request",
"product_bucket": ["APPS_SCRIPT_RUNTIME"]
}
{
"scope_name": "https://www.googleapis.com/auth/documents",
"product_bucket": ["DRIVE"]
}
Expected Sentinel representation:
Preserve the full scope_data structure, or
Expose all product buckets in a flattened array
Example:
"product_bucket": [
"GMAIL",
"DRIVE",
"APPS_SCRIPT_RUNTIME",
"IDENTITY",
"OTHER"
]
Actual behavior
The ingested event only contains:
"product_bucket": [
"IDENTITY",
"OTHER"
]
while all other product buckets are lost.
The Scope field correctly contains all scopes, indicating the source API returned the complete data.
Example:
"Scope": [
"https://www.googleapis.com/auth/documents",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/gmail.send",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets",
"https://www.googleapis.com/auth/userinfo.email"
]
but only the final product bucket is retained.
Additional context
The issue appears related to the connector transformation:
"transformName": "/ASI/GoogleWorkspace/OneDetectionPerRow"
The raw Google Reports API response contains a nested:
events[].parameters[].multiMessageValue[]
structure under scope_data.
A custom ingestion pipeline consuming the same Google Reports API endpoint preserves all product buckets correctly, suggesting the issue occurs during the CCP transformation rather than at the Google API source.
Describe the bug
When ingesting Google Workspace Token audit events (application=token), the connector appears to flatten the nested scope_data structure and retains only the final product_bucket value pair.
As a result, OAuth authorization events that contain multiple scopes and associated product buckets lose information during ingestion.
For example, a Google Workspace OAuth authorization event may contain:
GMAIL
DRIVE
APPS_SCRIPT_RUNTIME
IDENTITY
OTHER
However, the ingested Sentinel event only contains:
"product_bucket": ["IDENTITY","OTHER"]
which corresponds to the final scope entry (userinfo.email).
This causes loss of context during security investigations because the relationship between OAuth scopes and Google products is no longer preserved.
To Reproduce
Steps to reproduce the behavior:
- gmail.send
- drive.file
- documents
- script.external_request
- userinfo.email
5.Review the corresponding event in GoogleWorkspaceReports.
Expected behavior
The connector should preserve all product bucket information returned by the Google Reports API.
Example source data:
{
"scope_name": "https://www.googleapis.com/auth/gmail.send",
"product_bucket": ["GMAIL"]
}
{
"scope_name": "https://www.googleapis.com/auth/script.external_request",
"product_bucket": ["APPS_SCRIPT_RUNTIME"]
}
{
"scope_name": "https://www.googleapis.com/auth/documents",
"product_bucket": ["DRIVE"]
}
Expected Sentinel representation:
Preserve the full scope_data structure, or
Expose all product buckets in a flattened array
Example:
"product_bucket": [
"GMAIL",
"DRIVE",
"APPS_SCRIPT_RUNTIME",
"IDENTITY",
"OTHER"
]
Actual behavior
The ingested event only contains:
"product_bucket": [
"IDENTITY",
"OTHER"
]
while all other product buckets are lost.
The Scope field correctly contains all scopes, indicating the source API returned the complete data.
Example:
"Scope": [
"https://www.googleapis.com/auth/documents",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/gmail.send",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets",
"https://www.googleapis.com/auth/userinfo.email"
]
but only the final product bucket is retained.
Additional context
The issue appears related to the connector transformation:
"transformName": "/ASI/GoogleWorkspace/OneDetectionPerRow"
The raw Google Reports API response contains a nested:
events[].parameters[].multiMessageValue[]
structure under scope_data.
A custom ingestion pipeline consuming the same Google Reports API endpoint preserves all product buckets correctly, suggesting the issue occurs during the CCP transformation rather than at the Google API source.