Versions Compared

Version Old Version 19 New Version 20
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Action

Steps

1

Create a Project.

Info

This step is optional, if you already have a project, you do not need to create another.

  1. Login to Google APIs console.

  2. In the search bar, search Create a Project.

  3. Click on Create a Project.

  4. Fill in the required fields.

  5. Click on Create.

2

Enable Google Workspace Alert Center API.

  1. Login to Google APIs console.

  2. In the search bar, search Workspace Alert Center API.

  3. Click on Google Workspace Alert Center API.

  4. Click on Enable to activate the API.

3

Create credentials.

  1. In the search bar, search Credentials.

  2. Click on Credentials (APIs & Services).

  3. In the Service Accounts section, click on Manage service accounts.

  4. Click on the + Create service account button.

  5. Enter a Service account name and click Done.

  6. Click on the Email field of the created service account to access its details.

  7. Copy and save the Unique ID of the created service account.

  8. Click on the Keys tab.

  9. Click on Add key button.

  10. Click on Create new key. A pop-up window will open to select the details of the key.

  11. In key type select JSON.

  12. Click on the Create button.

  13. The file with the credentials will be downloaded automatically.

  14. Move the credentials file to <any_directory>/devo-collectors/gsuite-google-workspace-alerts/credentials/ directory.

  15. Copy the content of the json file. You can use any free software to convert the content of the json file to base64.

  16. Paste it into a base64 encoder and copy the result.

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#DEEBFF

It is important to save the base64 value to later run the collector on-premise and in the collector server.

Info

The Unique ID (step 7) will be used later in the domain delegation.

4

Authorize the service account through Domain Wide Delegation.

Once the service account is created and with credentials, it is necessary to authorize it through Domain Wide Delegation.

  1. Login in the google administration console: https://admin.google.com/.

  2. In the left menu select SecurityAccess and data controlAPI controls.

  3. Click Manage domain wide delegation in the Domain wide delegation section.

  4. Click on Add new. A pop-up window will open to enter the details.

    1. In Client ID field enter the previously copied Service Account Unique ID.

    2. In OAuth scopes field add the following: https://www.googleapis.com/auth/apps.alerts.

  5. Finally click on Authorize.

Info

You can copy the email used to login to https://accounts.google.com/ to later use it as delegated_email in the collector configuration.

Note

Note for later:delegated_email field should contain the email of an a real user (you cannot use a Service Account service account here) with enough access to display the alerts in the Google WorkSpace Admin Console → Alert Center (https://admin.google.com/ac/ac).

...

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: <debug_status>
  id: <collector_id>
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  gsuite_alerts:
    id: <input_id>
    enabled: <input_status>
    requests_per_second: <requests_per_second_value>
    environment: <environment_value>
    credentials:
      filename: <filename_value>
      content_base64: <content_base64_value>
      delegated_email: <delegated_email_value>
      source_id: <source_id_value>
    services:
      <collector_service_name>:
        request_period_in_seconds: <request_period_in_seconds_value>
        start_time: <start_time_override_value>
        tag: <custom_tag>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data Type

Type

Value Range

Details

debug_status

bool

Mandatory

false / true

If the value is true, the debug logging traces will be enabled when running the collector. If the value is false, only the info, warning and error logging levels will be printed.

collector_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1
Maximum length: 10

Use this param to give a valid name to this collector.

devo_address

str

Mandatory

collector-us.devo.io
collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the chain.cert  file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

input_status

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

requests_per_second_value

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec.

Info

This parameter should be removed if it is not used.

environment_value

str

Optional

Minimum length: 1

This parameter is used to create the Devo tag. It corresponds to the sixth level of the tag:
cloud.gsuite.alerts.<alert_type>.<format_version>.<environment>. If this parameter is removed, the sixth level of the tag will have the value unknown.

Info

This parameter should be removed if it is not used.

filename_value

str

Mandatory

Minimum length: 1

This parameter is the name that you want to give to the token generated by the Collector. For example: token.pickle

content_base64_value

str

Mandatory

Minimum length: 1

This parameter is the credentials in base64 format. To know how to obtain this value review the section How to enable the collection in the vendor.

delegated_email_value

str

Mandatory

Minimum length: 1

This parameter is the email of the user whose domain is delegated to authorize the Service Account to access the alerts. To know how to obtain this value review the section How to enable the collection in the vendor.

Note

Note for later:delegated_email field should contain the email of an real user (you cannot use a Service service Account here) with enough access to display the alerts in the Google WorkSpace Admin Console >> Alert Center (https://admin.google.com/ac/ac).

source_id

str

Mandatory

Minimum value: 1

This parameter will be used when {source_id} placeholder is present when using custom tags. Please use abc value when not used.

collector_service_name

str

Mandatory

Any collector service names described in the Data sources section.

This parameter can be set to any collector service name described in the Data sources section. It is also important to note that there may be more than one service.

Choose one of our available services:

  • customer_takeout_initiated

  • misconfigured_whitelist

  • malware_reclassification

  • phishing_reclassification

  • suspicious_message_reported

  • user_reported_phishing

  • user_reported_spam_spike

  • leaked_password

  • suspicious_login

  • suspicious_login_less_secure_app

  • suspicious_programmatic_login

  • user_suspended

  • user_suspended_spam

  • user_suspended_spam_through_relay

  • user_suspended_suspicious_activity

  • google_operations

  • government_attack_warning

  • device_compromised

  • suspicious_activity

  • appmaker_default_cloud_sql_setup

  • activity_rule

  • configuration_problem

  • data_loss_prevention

  • apps_outage

  • primary_admin_changed

  • sso_profile_added

  • sso_profile_updated

  • sso_profile_deleted

  • super_admin_password_reset

For example:

Code Block
"services": {
    "customer_takeout_initiated": {
        "request_period_in_seconds": 60
    },
      "misconfigured_whitelist": {
        "request_period_in_seconds": 60
    }
}

request_period_in_seconds_value

int

Optional

Minimum length: 1

Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)

Info

This parameter should be removed if it is not used.

start_time_override_value

str

Optional

UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (1 month back for example) before downloading new events.

Info

This parameter should be removed if it is not used.

custom_tag

str

Optional

A Devo tag. See for more information see Devo tags.

This parameter is used to override the default tag with a new customer defined tag.

Info

This parameter should be removed if it is not used.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-google_workspace_alerts_if-docker-image-1.5.0

c7c2420e52d567f83e30a2dd7a347c1cee83defdfd39ef573b316801dcd64be6

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

...