Hi ar3diu --

Did you configure the desired enrichment lables in the SIEM feed or were they setup by default? Are you using a connector or agent like BindPlane? If so, are logs tagged with the correct log_type so SecOps knows to apply the right parser? Without these labels, SecOps may treat logs as “generic” and just skip enrichment entirely. 

​@russell_pfeifer there are no such things to configure when you set up Direct Ingestion from Google Workspace to SecOps.

You generate a token in SecOps and the use it in the admin console.

Hmm there isn’t by way of documentation that describes how to remedy this -- you may have to simply switch back to SIEM Feeds although I would ping your SecOps rep first. 

The WORKSPACE_ACTIVITY direct feed does not include the WORKSPACE_USERS context source, and so you will still need a Feed setup to collect WORKSPACE_USERS via Feed Management. 

Do you still have the WORKSPACE_USERS Feed setup, and working?  If you run a UDM Search for the user in your screenshot does any Entity data get returned? e.g., graph.entity.user.email_addresses = “x” from the WORKSPACE_USERS context source.

​@cmmartin_google No, that feed was disabled because I thought we should get the same info through Direct Ingestion.This is what we had enabled before setting up Direct Ingestion:

```

Workspace Users
Workspace Groups
Workspace Privileges
Workspace Alerts
Workspace Mobile Devices
Workspace Activities
Workspace ChromeOS Devices

```

So, I suppose should I enable all of them except for Workspace Activities, in order to get context information for users, groups and devices?