Google Workspace Integration - Elastic
Google Workspace Integration
The Google Workspace integration collects and parses data from the different Google Workspace audit reports APIs(external, opens in a new tab or window).
If you want to know more about how you can fully leverage the Google Workspace integration, there is a multipart blog from our Security Labs that will help you:
- To understand what Google Workspace is in Part One - Surveying the Land(external, opens in a new tab or window)
- To set it up, step by step, in Part Two - Setup Threat Detection with Elastic(external, opens in a new tab or window)
- And to use the collected information to your advantage in Part Three - Detecting Common Threats(external, opens in a new tab or window)
Compatibility
It is compatible with a subset of applications under the Google Reports API v1(external, opens in a new tab or window). As of today it supports:
|
Google Workspace Service
|
Description
|
|---|---|
|
View users’ successful and failed sign-ins to SAML applications.
|
|
|
Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment.
|
|
|
Track user sign-in activity to your domain.
|
|
|
View a record of actions to review your user’s attempts to share sensitive data.
|
|
|
View administrator activity performed within the Google Admin console.
|
|
|
Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files.
|
|
|
Track changes to groups, group memberships and group messages.
|
|
|
The Group Enterprise activity report returns information about various types of Enterprise Groups Audit activity events.
|
|
|
The Mobile activity report returns information about various types of Device Audit activity events.
|
|
|
The Token activity report returns information about various types of OAuth Token Audit activity events.
|
|
|
The Access Transparency activity report returns information about various types of Access Transparency activity events.
|
|
|
The Context Aware Access activity report returns information about various types of Context-Aware Access Audit activity events.
|
|
|
The GCP activity report returns information about various types of Google Cloud Platform activity events.
|
Requirements
In order to ingest data from the Google Reports API you must:
- Have an administrator account.
- Set up a ServiceAccount(external, opens in a new tab or window) using the administrator account.
- Set up access to the Admin SDK API(external, opens in a new tab or window) for the ServiceAccount.
- Enable Domain-Wide Delegation(external, opens in a new tab or window) for your ServiceAccount.
This integration will make use of the following oauth2 scope:
https://www.googleapis.com/auth/admin.reports.audit.readonly
Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration.
Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is https://www.googleapis.com. The API Host will be used for collecting access_transparency, admin, device, context_aware_access, drive, gcp, groups, group_enterprise, login, rules, saml, token and user accounts logs.
NOTE: The
Delegated Accountvalue in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
Google Workspace Alert
The Google Workspace(external, opens in a new tab or window) Integration collects and parses data received from the Google Workspace Alert Center API using HTTP JSON Input.
Compatibility
-
Alert Data Stream has been tested against
Google Workspace Alert Center API (v1). -
Following Alert types have been supported in the current integration version:
- Customer takeout initiated
- Malware reclassification
- Misconfigured whitelist
- Phishing reclassification
- Suspicious message reported
- User reported phishing
- User reported spam spike
- Leaked password
- Suspicious login
- Suspicious login (less secure app)
- Suspicious programmatic login
- User suspended
- User suspended (spam)
- User suspended (spam through relay)
- User suspended (suspicious activity)
- Google Operations
- Configuration problem
- Government attack warning
- Device compromised
- Suspicious activity
- AppMaker Default Cloud SQL setup
- Activity Rule
- Data Loss Prevention
- Apps outage
- Primary admin changed
- SSO profile added
- SSO profile updated
- SSO profile deleted
- Super admin password reset
- Account suspension warning
- Calendar settings changed
- Chrome devices auto-update expiration warning
- Customer takeout initiated
- Drive settings changed
- Email settings changed
- Gmail potential employee spoofing
- Mobile settings changed
- New user added
- Reporting Rule
- Suspended user made active
- User deleted
- User granted Admin privilege
- User suspended (spam)
- User's Admin privileges revoked
- Users password changed
- Google Voice configuration problem detected
Requirements
In order to ingest data from the Google Alert Center API, you must:
- Have an administrator account.
- Set up a ServiceAccount(external, opens in a new tab or window) using the Administrator Account.
- Set up access to the Admin SDK API(external, opens in a new tab or window) for the ServiceAccount.
- Enable Domain-Wide Delegation(external, opens in a new tab or window) for the ServiceAccount.
This integration will make use of the following oauth2 scope:
https://www.googleapis.com/auth/apps.alerts
Once Service Account credentials are downloaded as a JSON file, then the integration can be setup to collect data.
NOTE: The
Delegated Accountvalue in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
NOTE: The default value of the "Page Size" is set to 1000. This option is available under 'Alert' Advance options. Set the parameter "Page Size" according to the requirement. For Alert Data Stream, The default value of "Alert Center API Host" is
https://alertcenter.googleapis.com. The Alert Center API Host will be used for collecting alert logs only.
Logs
Google Workspace Reports ECS fields
This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets.
|
Google Workspace Reports
|
ECS Fields
|
|---|---|
items[].id.time |
@timestamp |
items[].id.uniqueQualifier |
event.id |
items[].id.applicationName |
event.provider |
items[].events[].name |
event.action |
items[].customerId |
organization.id |
items[].ipAddress |
source.ip, related.ip, source.as.*, source.geo.* |
items[].actor.email |
source.user.email, source.user.name, source.user.domain |
items[].actor.profileId |
source.user.id |