Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)

this happens most commonly because the Google Workspace Reports connector (using Azure Functions) doesn’t automatically create every table that the workbook expects. The workbook template sometimes calls older or optional tables like GWorkspace_ReportsAPI_gcp_CL, which might not be generated depending on which APIs you’ve enabled in your Google service account or which function app template you deployed.

Try below,
CHeck actual ingested tables:

search * 
| summarize count() by $table
| where $table startswith "GWorkspace_ReportsAPI"


You’ll likely see tables such as GWorkspace_ReportsAPI_admin_CL, drive_CL, login_CL, etc., but not gcp_CL. If it’s missing, that’s confirmation that no logs have ever been created for that API scope.

Second, confirm API scopes in the Google project. The Azure Function that ingests data depends on the API scopes you authorized during setup. If the GCP-specific scope (related to Cloud Project logs) wasn’t enabled, that table won’t appear. You can edit your Function App configuration (config.json or Application Settings) and add the missing API scopes or endpoints for the Reports API, then restart the function.

I will also try to update the workbook query, If your environment doesn’t use the GCP API data, simply edit the workbook and remove GWorkspace_ReportsAPI_gcp_CL from the union statement. The workbook will then run successfully using only the tables that exist.

You may also wanna check connector version check. You mentioned version 3.0.2 that’s the latest as of this date, but the workbook template itself may not have been updated to align with the latest schema. Microsoft’s GitHub repository for Sentinel solutions sometimes lags behind connector updates. You can check for updated templates or remove the outdated references manually in the workbook JSON.