Google Workspace Integration

The Security Manager Google Cloud Platform integration monitors Google Workspace logs to provide the Google Workspace Alerts

Prerequisites

• An account with Google Super Administrator Access

• A Google Cloud Console Organization for your Domain

• Owner permissions for Google Cloud Console Organization

• A Google Cloud Console Billing Account

Integration Setup

Create a Pub/Sub Subscription

1. In Google Cloud Console, in the project selector drop-down, select or create a Google Cloud project.

2. Activate Cloud Shell, which provides an interactive command-line interface with the Cloud SDK installed.

3. Set Project ID environment variable

export PROJECT_ID=[YOUR_PROJECT_ID]

4. Set Organization ID environment variable

export ORG_ID=[YOUR_ORGANIZATION_ID]

5. Set the project for your active session:

gcloud config set project $PROJECT_ID

6. Enable the Pub/Sub API:

gcloud services enable pubsub.googleapis.com

7. Enable the Dataflow API

gcloud services enable dataflow.googleapis.com

8. Enable the Cloud Security Command Center API

gcloud services enable securitycenter.googleapis.com

9. Enable the Cloud Asset Inventory API

gcloud services enable cloudasset.googleapis.com

10. Create a Pub/Sub topic to which the data will be sent:

gcloud pubsub topics create export-topic

11. Create a Pub/Sub subscription where the data will be aggregated:

gcloud pubsub subscriptions create export-subscription \
--topic=export-topic \
--expiration-period="never"

12. Create an organization log sink to capture Cloud audit logs from all Google Cloud projects in your organization:

gcloud logging sinks create org-audit-logs-all \
pubsub.googleapis.com/projects/$PROJECT_ID/topics/export-topic \
--organization=$ORG_ID \
--include-children \
--log-filter="logName:logs/cloudaudit.googleapis.com"

Log Sink Creation

The log-filter option specifies that Cloud audit logs are routed to the Pub/Sub topic export-topic. You want to edit the log filter or create additional log sinks to export more logs such as VPC flow logs, load balancing request logs, or virtual machine logs such as application logs and system logs, depending on your retention compliance requirements.

This command returns the service account of the log sink writer, usually in the form o#####-####@gcp-sa-logging.iam.gserviceaccount.com

1. Set an environment variable to the service account of the log sink:

export LOG_SINK_SA=[YOUR_SERVICE_ACCOUNT]@gcp-sa-logging.iam.gserviceaccount.com

2. Give permissions to the log sink service account to publish to the Pub/Sub topic:

gcloud pubsub topics add-iam-policy-binding export-topic \
--member=serviceAccount:$LOG_SINK_SA \
--role=roles/pubsub.publisher

Setting up Service Account Access Key

1. Create a service account in the project

2. Generate a JSON format access key

3. Create Service Account Environment variable

export SUBSCRIBER_SA=[YOUR_SERVICE_ACCOUNT_EMAIL]

4. Give permissions to the subscriber service account to subscribe to the Pub/Sub subscription

gcloud pubsub subscriptions add-iam-policy-binding export-subscription \
--member=serviceAccount:$SUBSCRIBER_SA \
--role=roles/pubsub.subscriber

5. Give permissions to the subscriber service account to view details of the Pub/Sub subscription

gcloud pubsub subscriptions add-iam-policy-binding export-subscription \
--member=serviceAccount:$SUBSCRIBER_SA \
--role=roles/pubsub.viewer

User Authentication Events

To ingest user authentication events, you must share data from your Google Workspace, Cloud Identity, or Essentials account with services in your organization's Google Cloud account.

1. In the Google Admin Console, go to Menu → Account → Account settings → Legal and compliance.

2. Click Sharing options

3. Click Enabled

4. Click Save