Google Workspace Alerts

In the Scanner UI, go to the Collect tab.

You’ll be prompted to choose an Ingest Method:

Click Next.

Set a Display Name, such as my-google-workspace-alerts-logs.

Click Next.

If you’ve previously created an Google Workspace connection, select it from the list.
Otherwise, select New Google Workspace Connection and fill in the required fields:
- Connection Name: Give the connection a recognizable name.
- Service Account Subject Email: e.g. [email protected]
- Service Account Key JSON

To create the service account and the service account key JSON:

Follow these instructions
Domain-wide delegation must be enabled for the service account
The Alert Center API must be enabled on the Google Cloud project
The service account subject email is the email of the user who created the service account. It is NOT the service account email ending in @my-project.iam.gserviceaccount.com. The service account impersonates this user when polling from the API.
The service account must have the authorization scope https://www.googleapis.com/auth/apps.alerts

Click Next.

Click Next.

Click Next.

Leave the default setting: Extract timestamp from field createTime.

This field is included in every Google Workspace alerts log and reflects when the event occurred.

Click Next.

Once created:

Scanner will poll the Google Workspace Alert Center API every 5 minutes.
New events will be written to your S3 bucket, under the specified key prefix.
Logs will then be indexed for search and detections using your selected Scanner index.

Last updated 3 days ago

Was this helpful?