Document toolboxDocument toolbox

G Suite Alerts collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
11 min read
[ 1 Service description ] [ 2 Data source description ] [ 3 Setup ] [ 4 Run the collector ] [ 5 Disclaimer ]

Service description

The G Suite Alert Center manages alerts on potential issues within your domain. Apps you develop can use the Alert Center API to retrieve alerts in order to respond to them. Apps can also use the API to create and retrieve alert feedback. For example, a monitoring app could retrieve new alerts, prioritize them, and then notify members of your organization when action is needed.

Data source description

The G Suite API generates account activities for these applications and sources. The G suite collector that we provide processes the Google API responses and sends them to the Devo platform. Data will be categorized in different tables in your Devo domain, as you can check in the following table.

G Suite Alert Center

Listed in the table below are the alerts sources, types, the data that G Suite classifies and how Devo platform treats it.

Alert source

Alert type

Devo data tables

Alert source

Alert type

Devo data tables

Domain wide takeout

Customer takeout initiated

cloud.gsuite.alerts.customer_takeout_initiated

Gmail phishing

Malware reclassification

cloud.gsuite.alerts.malware_reclassification

Misconfigured whitelist

cloud.gsuite.alerts.misconfigured_whitelist

Phishing reclassification

cloud.gsuite.alerts.phishing_reclassification

Suspicious message reported

cloud.gsuite.alerts.suspicious_message_reported

User reported phishing

cloud.gsuite.alerts.user_reported_phishing

User reported spam spike

cloud.gsuite.alerts.user_reported_spam_spike

Google identity

Leaked password

cloud.gsuite.alerts.eaked_password

Suspicious login

cloud.gsuite.alerts.suspicious_login

Suspicious login (less secure app)

cloud.gsuite.alerts.suspicious_login_less_secure_app

Suspicious programmatic login

cloud.gsuite.alerts.suspicious_programmatic_login

User suspended

cloud.gsuite.alerts.user_suspended

User suspended (spam)

cloud.gsuite.alerts.user_suspended_spam

User suspended (spam through relay)

cloud.gsuite.alerts.user_suspended_spam_through_relay

User suspended (suspicious activity)

cloud.gsuite.alerts.user_suspended_suspicious_activity

Google Operations

Google Operations

cloud.gsuite.alerts.google_operations

State Sponsored Attack

Government attack warning

cloud.gsuite.alerts.government_attack_warning

Mobile device management

Device compromised

cloud.gsuite.alerts.device_compromised

Suspicious activity

cloud.gsuite.alerts.suspicious_activity

AppMaker Editor

AppMaker Default Cloud SQL setup

cloud.gsuite.alerts.appmaker_default_cloud_sql_setup

Security Center rules

Activity Rule

cloud.gsuite.alerts.activity_rules

For more information about sources and types, visit the G Suite Alert Center API documentation

Setup

The G Suite Alerts collector needs to be configured in the Google Cloud Platform APIs console and also in the Google Admin console

  • In the Google Cloud Platform APIs console, you need to enable the Google Workspace Alert Center API (formerly G Suite Alert Center API) and create the proper credentials for the collector.

  • In the Google Admin console, you must give the proper permissions to the previously created credentials. 

Follow the instructions below to learn how to configure the services and allow the required permissions:

Enabling Google Workspace Alert Center API and credentials creation

Follow the next steps to create the Service Account that will be used to collect the alerts and enable the necessary API and scopes to use it.

  1. Go to the Google Cloud Platform APIs console.

  2. Go to the Library section.

  3. Search Google Workspace Alert Center API in the search box.

  4. Click Enable.

  5. Go to the Credentials section (You can type credentials api services on the search box or choose the section from the left panel).

  6. Then, click Manage Service Accounts.

  7. Click Create Service Account and fill in the required fields (the optional steps can be omitted).

  8. Click on the previously created Service Account and make sure you are in the DETAILS section.

  9. Click on SHOW DOMAIN-WIDE DELEGATION, then enable the option called Enable Google Workspace Domain-wide Delegation. Click Save and copy the value in the Client ID box (this value will be used in the Assigning proper permissions to credentials section).

  10. Once saved, go to KEYS section, click ADD KEY → Create new key and choose the JSON file type. Then, click CREATE (a .json file will be downloaded).

  11. Rename the downloaded file to credentials-gsuite-alerts.json and move it to the collector credentials directory (<any_directory>/devo-collector/gsuite-alerts/credentials/).

Assigning the required permissions to the credentials

Now, you must be associate a scope to the previously created Client ID. Follow these steps to do it:

You must have the proper admin permissions to follow the next steps.

  1. Go to the Google admin console.

  2. From your Google Workspace domain’s Admin console, go to Main menu → Security → API Controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

  4. Click Add new.

  5. In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.

  6. In the OAuth scopes (comma-delimited) field, enter the next scope : https://www.googleapis.com/auth/apps.alerts

  7. Click Authorize.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Disclaimer

The API limits the number of requests for your APIs Console project. The API project's maximum number of requests per second (project QPS) is 5 QPS and the maximum number of requests per day (project QPD) is 150,000 QPD across the account. If these limits are exceeded, the server returns an HTTP 503 status code.