Google Workspace Integration

The Security Manager Google Cloud Platform integration monitors Google Workspace logs to provide the Google Workspace Alerts

Prerequisites

• An account with Google Super Administrator Access

• A Google Cloud Console Organization for your Domain

• Owner permissions for Google Cloud Console Organization

• A Google Cloud Console Billing Account

Integration Setup

Create a Pub/Sub Subscription

1. In Google Cloud Console, in the project selector drop-down, select or create a Google Cloud project.

2. Activate Cloud Shell, which provides an interactive command-line interface with the Cloud SDK installed.

3. Set Project ID environment variable

export PROJECT_ID=[YOUR_PROJECT_ID]

4. Set Organization ID environment variable

export ORG_ID=[YOUR_ORGANIZATION_ID]

5. Set the project for your active session:

gcloud config set project $PROJECT_ID

6. Enable the Pub/Sub API:

gcloud services enable pubsub.googleapis.com

7. Enable the Dataflow API

gcloud services enable dataflow.googleapis.com

8. Enable the Cloud Security Command Center API

gcloud services enable securitycenter.googleapis.com

9. Enable the Cloud Asset Inventory API

gcloud services enable cloudasset.googleapis.com

10. Create a Pub/Sub topic to which the data will be sent:

gcloud pubsub topics create export-topic

11. Create a Pub/Sub subscription where the data will be aggregated:

gcloud pubsub subscriptions create export-subscription \
--topic=export-topic \
--expiration-period="never"

12. Create an organization log sink to capture Cloud audit logs from all Google Cloud projects in your organization:

gcloud logging sinks create org-audit-logs-all \
pubsub.googleapis.com/projects/$PROJECT_ID/topics/export-topic \
--organization=$ORG_ID \
--include-children \
--log-filter="logName:logs/cloudaudit.googleapis.com"

Log Sink Creation

The log-filter option specifies that Cloud audit logs are routed to the Pub/Sub topic export-topic. You want to edit the log filter or create additional log sinks to export more logs such as VPC flow logs, load balancing request logs, or virtual machine logs such as application logs and system logs, depending on your retention compliance requirements.

This command returns the service account of the log sink writer, usually in the form o#####-####@gcp-sa-logging.iam.gserviceaccount.com

1. Set an environment variable to the service account of the log sink:

export LOG_SINK_SA=[YOUR_SERVICE_ACCOUNT]@gcp-sa-logging.iam.gserviceaccount.com

2. Give permissions to the log sink service account to publish to the Pub/Sub topic:

gcloud pubsub topics add-iam-policy-binding export-topic \
--member=serviceAccount:$LOG_SINK_SA \
--role=roles/pubsub.publisher

Setting up Service Account Access Key

1. Create a service account in the project

2. Generate a JSON format access key

3. Create Service Account Environment variable

export SUBSCRIBER_SA=[YOUR_SERVICE_ACCOUNT_EMAIL]

4. Give permissions to the subscriber service account to subscribe to the Pub/Sub subscription

gcloud pubsub subscriptions add-iam-policy-binding export-subscription \
--member=serviceAccount:$SUBSCRIBER_SA \
--role=roles/pubsub.subscriber

5. Give permissions to the subscriber service account to view details of the Pub/Sub subscription

gcloud pubsub subscriptions add-iam-policy-binding export-subscription \
--member=serviceAccount:$SUBSCRIBER_SA \
--role=roles/pubsub.viewer

User Authentication Events

To ingest user authentication events, you must share data from your Google Workspace, Cloud Identity, or Essentials account with services in your organization's Google Cloud account.

1. In the Google Admin Console, go to Menu → Account → Account settings → Legal and compliance.

2. Click Sharing options

3. Click Enabled

4. Click Save

Google DLP Alerts

1. Go to the Google Cloud Console, and select the Google Cloud Project you created in the steps above

2. Search for APIs & Services in the search box and click API and services

3. Select ENABLE APIS AND SERVICES

4. Search for Alert Center API

5. Select Google Workspace Alert Center API, and click Enable

6. Go to the Google Admin Console → Security → Access and data control → API Controls → Manage domain wide delegation

7. Add New API Client:

   1. Client ID: The client id from the downloaded JSON format access key in the Setting Up Service Account Access Keys steps

   2. OAuth scopes: https://www.googleapis.com/auth/apps.alerts

8. Click Authorize

9. Go to RapidIdentity and select Connect from the module dropdown

10. Select the Connect Project dropdown and select the sec_mgr project

11. Select OAuth2 Credentials and click ADD OAUTH2 CREDENTIAL

12. Enter a name, select GOOGLE_EXTENDED as the provider, and paste in the JSON Format access key you downloaded previously

13. In the sec_mgr project select Files

14. In the root directory select Globals.properties and click edit

15. Under the Google section make the following edits and click save

    1. googleDomain: The Google domain to pull Alert Center alerts

    2. googleOAuthCredential: The name of the Google OAuth2 credential created in step 12

    3. googleServiceAccount: An email address of a user with Alert Center Access in the Google Admin Console (preferably a service account)

16. In the sec_mgr project select Jobs

17. Select the checkbox for GoogleAlertCenterIntegration and click Enable

18. The Google DLP Integration has now been setup and you will start seeing the alerts generated from Google DLP in the Security Manager Console