Overview
Workspace is Google’s suite of products that includes email, calendar, driver, meet, and other collaboration solutions. This collector provides the possibility to integrate Google Workspace with the Devo Platform making it easy to query and analyze the relevant data from Workspace, view it in the pre-configured Activeboards, or customize them to enable Enterprise IT and Cybersecurity teams to make impactful data-driven decisions.
This collector will retrieve alerts on potential issues within your domain. Apps you develop can use Google’s Alert Center API to retrieve alerts in order to respond to them. Apps can also use the API to create and retrieve alert feedback. For example, a monitoring app could retrieve new alerts, prioritize them, and then notify members of your organization when action is needed. The collector processes the API responses and sends them to the Devo platform which then categorizes all data received on tables along rows and columns in your Devo domain.
Devo collector features
Feature | Details |
|---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Data sources
The Google Workspace (formerly G Suite) API generates account activities for these applications and sources. The collector process the Google API responses and send them to the Devo platform that will categorize all information received on tables along rows and columns on your Devo domain.
Data Source | Alert Type | Devo tables | Available from release |
|---|---|---|---|
Domain wide takeout | Customer takeout initiated |
|
|
Gmail phishing | Malware reclassification |
|
|
Misconfigured whitelist |
|
| |
Phishing reclassification |
|
| |
Suspicious message reported |
|
| |
User reported phishing |
|
| |
User reported spam spike |
|
| |
Google identity | Leaked password |
|
|
Suspicious login |
|
| |
Suspicious login (less secure app) |
|
| |
Suspicious programmatic login |
|
| |
User suspended |
|
| |
User suspended (spam) |
|
| |
User suspended (spam through relay) |
|
| |
User suspended (suspicious activity) | cloud.gsuite.alerts.user_suspended_suspicious_activity |
| |
Google Operations | Google Operations |
|
|
State Sponsored Attack | Government attack warning |
|
|
Mobile device management | Device compromised |
|
|
Suspicious activity |
|
| |
AppMaker Editor | AppMaker Default Cloud SQL setup |
|
|
Security Center rules | Activity Rule |
|
|
Data Loss Prevention | Data Loss Prevention |
|
|
Sensitive Admin Action | Super Admin Password Reset |
|
|
Vendor setup
The Google Workspace Alerts collector needs to be configured in the Google Cloud Platform APIs console and also in the Google Admin console.
In the Google Cloud Platform APIs console, you need to enable the Google Workspace Alert Center API (formerly G Suite Alert Center API) and create the proper credentials for the collector.
In the Google Admin console, you must give the proper permissions to the previously created credentials.
Follow the instructions below to learn how to configure the services and allow the required permissions:
Enabling Google Workspace Alert API and credentials creation
Follow the next steps to create the Service Account that will be used to collect the alerts and enable the necessary API and scopes to use it.
Go to the Google Cloud Platform APIs console.
Go to the Library section.
Search Google Workspace Alert Center API in the search box.
Click Enable.
Go to the Credentials section (You can type credentials api services on the search box or choose the section from the left panel).
Then, click Manage Service Accounts.
Click Create Service Account and fill in the required fields (the optional steps can be omitted).
Click on the previously created Service Account and make sure you are in the DETAILS section.
Click on SHOW DOMAIN-WIDE DELEGATION, then enable the option called Enable Google Workspace Domain-wide Delegation. Click Save and copy the value in the Client ID box (this value will be used in the Assigning proper permissions to credentials section).
Once saved, go to KEYS section, click ADD KEY → Create a new key and choose the JSON file type. Then, click CREATE (a .json file will be downloaded).
Rename the downloaded file to
credentials-gsuite-alerts.jsonand move it to the collector credentials directory (<any_directory>/devo-collector/gsuite-alerts/credentials/).
Assigning the required permissions to the credentials
Now, you must associate a scope to the previously created Client ID. Follow these steps to do it:
You must have the proper admin permissions to follow the next steps.
Go to the Google admin console.
From your Google Workspace domain’s Admin console, go to Main menu → Security → API Controls.
In the Domain-wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
In the OAuth scopes (comma-delimited) field, enter the next scope :
https://www.googleapis.com/auth/apps.alertsClick Authorize.
Accepted authentication methods with Google Oauth2
A service account is a method used by Google to make server-to-server connections instead of user-to-server. In Google Workspace Collector Alerts, a service account is used for the API connection to GCP. That is, it is a way to authenticate to work with GCP's own data. This uses delegation of authority to allow applications to access user data in your organization's Google Workspace environment. Google Workspace Collector Alerts use the following delegated credentials:
CredentialsFile.load_credentials( credentials_filename, credentials_scopes=credentials_scopes, delegated_email=delegated_email
delegated_email field should contain the email of an real user (you cannot use a Service Account here) with enough access to display the alerts in the Google WorkSpace Admin Console → Alert Center. (https://admin.google.com/ac/ac).
Refer to the Google documentation for more information.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Disclaimer
The API limits the number of requests for your APIs Console project. The API project's maximum number of requests per second (project QPS) is 5 QPS and the maximum number of requests per day (project QPD) is 150,000 QPD across the account. If these limits are exceeded, the server returns an HTTP 503 status code.