/
Google Cloud Workspace

Google Cloud Workspace

Owned by Aparna Rr
Last updated: yesterday at 3:20 pm
5 min read

About the Device

Google Workspace is a productivity solution designed to help you safely connect, create and collaborate with tools like Gmail, Docs, Meet and more. You can Connect with teammates wherever they are using Gmail, Voice, Calender, Groups, Chat, Meet etc.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Google

Product Name

Cloud Workspace 

Type of Device

Cloud

Collection Method

Direct Ingestion:

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Data Source

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Data Source

Google Workspace Activity logs

WORKSPACE_ACTIVITY

Cloud Log Stream - JSON

C2C - Push
(Direct Ingestion)

https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle

  • Only Google Workspace Activity logs can be ingested through Google Workspace to Google Security Operations Direct Ingestion Method based on License Requirements as mentioned in Pre-requisites under Device configuration Steps.

  • Direct ingestion collects a wider range of workspace data compared to other feed methods. For example, other feed methods cannot ingest gmail application logs.

Feed Ingestion:

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Data Source

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Data Source

Workspace Activities

Workspace Alerts

Workspace Users

Workspace Groups

Workspace Privileges

Workspace Mobile Devices

Workspace ChromeOS Devices

WORKSPACE_ACTIVITY

WORKSPACE_ALERTS

WORKSPACE_USERS

WORKSPACE_GROUPS

WORKSPACE_PRIVILEGES

WORKSPACE_MOBILE

WORKSPACE_CHROMEOS

API - JSON

C2C - API

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs

Device Configuration

Google Provides two types of Log Ingestion Methods to integrate Google Workspace to Google Security Operations.

Method 1: Direct Ingestion

To send google workspace data to Google Security Operations

Follow below steps to use direct ingestion to ingest Google Workspace Activity logs (WORKSPACE_ACTIVITIES) into your Google Security Operations instance for the supported Google application types.

Prerequisites:

  • You must have Google Workspace Enterprise Standard or Enterprise Plus edition to access this integration. If you don't, you can refer to Feed Ingestion Method (Method 2) to ingest Google Workspace Activity logs.

  • You must have Google Workspace Customer ID. It should be procured from the Google Workspace Admin console (Account > Account Settings > Profile).

Step1: Obtain your Google Security Operations instance ID and token

  • share the Google Workspace Customer ID with the Adaptive MxDR Onboarding Team.

Step 2: Link Google Workspace to your Google Security Operations instance

  • Login to the Google Workspace Admin console.

  • Click Reporting > Data Integrations.

  • Select Google Security Operations export, and then click Connect to Google Security Operations. This opens the Connect to Google Security Operations page.

  • Paste the token copied from your Google Security Operations account into the indicated field. Click Connect.

  • Export audit data to Google Security Operations should now display On. Your Google Workspace account is now linked to your Google Security Operations instance and will begin sending your Google Workspace data.

  • Click Go to Google Security Operations to open your Google Security Operations instance and begin to monitor your Google Workspace data from Google Security Operations.

Method 2: Feed Ingestion via Third Party API

Follow below steps to collect Google Workspace logs by setting up a Google Security Operations feed using Third Party API.

Prerequisites:

  • You must use Google Workspace Business Standard or Business Plus edition as these editions are supported via Google Parsers.

  • Ensure that you have a Google Workspace Administrator account.

  • Ensure that you have a Super Admin role for GCP account.

  • You must have Customer ID. It should be procured from the Google Admin console (Account > Account Settings > Profile).

Step 1: Enable Admin SDK API and Google Workspace Alert center API

  • Login to your Google Cloud Platform Console

  • Navigate to APIs and services and select a project.

  • Click Library

  • Search for Admin SDK API and then click ENABLE

  • Repeat for Google Workspace Alert Center API

Step 2: Create a service account which is used to authenticate with Workspace APIs.

  • Required roles: To create service accounts, you should have the Create Service Accounts (roles/iam.serviceAccountCreator) IAM role on the project.

  • In your GCP Console navigate to IAM & Admin > Service Accounts

  • Click Create Service Account

  • Provide the service account a name and click DONE

  • The service account's name appears in the email address that is provisioned during creation, in the format SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com.

  • Click the newly created service account

  • Copy and save the Unique ID displayed on the screen.

  • Select KEYS

  • Click ADD Key > Create new key

  • Select JSON and click Create

  • Save this JSON key

Step 3: Create a Domain-wide delegation API control for the service account and grant the required scopes to access the data.

  • Login to the Google Admin console (admin.google.com)

  • Select Security > Access and Data Controls > API Controls > Domain-wide delegation and then click Manage Domain-Wide Delegation

  • Click ADD NEW

  • Enter the Client ID (unique ID obtained in Step 2)

  • For OAuth scopes, enter the list of scopes mentioned below:

  • https://www.googleapis.com/auth/apps.alerts, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

  • Click Authorize

Step 4: Create a user who is used for impersonation and grant the user the required privileges.

  • Login to Google Admin console.

  • Select Directory > Users and then click Add new user.

  • Enter the user details.

  • Name the user and create a primary email address. Click Create > Done

  • Click on the newly created user

  • Click Admin roles and privileges > Create Custom Role > Create new role and give this role a name

  • Grant the following privileges to the role:

Privileges > Reports Privileges > Services > Alert Center > Full Access > View access Privileges > Services > Mobile Device Management > Manage Devices and Settings Privileges > Services > Chrome Management > Settings Admin API > Privileges > Users > Read Admin API > Privileges > Groups > Read

  • Click Continue and then Create role.

  • Click Assign users, select the user to assign the role.

  • Click Assign role.

  • Ensure that the created user has the Super Admin role

Step 5: Share the following items with Adaptive MxDR Onboarding team to proceed with configuration of the Google Workspace integration:

  • JSON token (Step 2)

  • User email (Step 4)

  • Customer ID (prerequisites)

Integration Parameters

Integration Parameters required for Direct Ingestion Method

Property

Default Value

Description

Property

Default Value

Description

 Google Workspace Customer ID

N/A

Used to generate Token and Instance ID.

Integration Parameters required for Feed Configuration

Property

Default Value

Description

Property

Default Value

Description

 OAuth JWT endpoint

N/A

Specify the token_uri value from the service account JSON key.

JWT claims issuer

N/A

Specify the client_email value from the service account JSON key

JWT claims subject

N/A

Primary Email address of the user that was created in the Google Workspace Admin console

JWT claims audience

N/A

Specify the token_uri value from the service account JSON key.

RSA private key

N/A

Key in PEM format. The PEM key is available in the service account key file. When you enter the private key, include the BEGIN PRIVATE KEY header and the END PRIVATE KEY footer and replace all instances of the \n token with an actual Enter keystroke in the text box.

Customer ID

N/A

Except for the Alerts log type, All log types requires the customer ID field with a leading 'C' character. If the customer ID field does not contain a leading 'C' character, then prepend the value with a 'C' character.

Applications

N/A

Only Applicable for Feed Configuration of Workspace Activities.

 

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.