Open in app

Sign in

Write

Sign in

SOCFortress Integrations — Google Workspace

SOCFortress
3 min readJan 22, 2024

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Google Workspace security events using a single pane of glass.

About Google Workspace

Google Workspace, formerly known as G Suite, is a suite of cloud-based collaboration and productivity tools developed by Google. It provides a set of applications designed to enhance communication, collaboration, and productivity for businesses, organizations, and educational institutions. Google Workspace encompasses a variety of services, including email, document editing, file storage, video conferencing, and more.

Key components of Google Workspace include:

  • Gmail: An email platform that provides a professional email address for businesses, with features such as spam filtering, integrated chat, and the ability to access emails offline.
  • Google Drive: A cloud-based storage solution for documents, spreadsheets, presentations, and other files. It allows for easy collaboration on documents and provides version history.
  • Google Docs, Sheets, and Slides: Online document, spreadsheet, and presentation editors that enable real-time collaboration. Multiple users can work on the same document simultaneously.
  • Google Calendar: A scheduling and calendar tool that allows users to schedule events, set reminders, and share calendars with others.
  • Google Meet: A video conferencing and online meeting platform that supports virtual meetings, webinars, and screen sharing. It is integrated with other Google Workspace apps.
  • Google Chat: A messaging platform for teams, allowing for direct messaging, group conversations, and file sharing. It is integrated into Gmail and other Google Workspace applications.
  • Google Forms: A tool for creating online forms and surveys, with responses automatically collected and stored in Google Sheets.
  • Google Sites: A website creation tool that allows users to create and publish websites without needing to write code.
  • Google Vault: An archiving and e-discovery service for organizations to retain, archive, and search their data, including emails and files.
  • Security and Administration: Google Workspace provides security features such as two-factor authentication, encryption, and administrative controls for managing users, devices, and security settings.

Google Workspace is designed to enhance collaboration and productivity by providing a seamless and integrated set of tools that can be accessed from various devices with internet connectivity. It is suitable for businesses of all sizes and offers different pricing plans based on the organization’s needs.

Ingesting Google Workspace logs and events

Set up a Google Workspace to send audit logs to GCP: Configure Google Workspace to send the following logs to GCP. The specific details around which logs and events get sent to GCP depend on your Google Workspace subscription, but in all cases, the steps to achieve this remain the same.

Create a PubSub Topic and Subscription to send logs to Observe

Create a Sink to send Google Workspace Audit Logs from GCP Logging to PubSub

Configure GCP’s pubsub module in Wazuh manager:

<gcp-pubsub>
    <pull_on_start>yes</pull_on_start>
    <interval>1m</interval>
    <project_id>project_id</project_id>
    <subscription_name>subscription</subscription_name>
    <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
</gcp-pubsub>

Required info for the credentials file:

  • type
  • project_id
  • private_key_id
  • private_key
  • client_email
  • client_id
  • auth_uri
  • token_uri
  • auth_provider_x509_cert_url
  • client_x509_cert_url
  • universe_domain

Create detection rules to classify and identify Workspace events (example):

<group name="gcp,google_workspace,">
 <rule id="id" level="3">
  <if_sid>65042</if_sid>
  <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field>
  <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">BLOCKED</field>
  <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">ADD</field>
  <description>$(data.gcp.protoPayload.metadata.membershipDelta.member) blocked from $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description>
 </rule>
..............
..............
</group>

Visualizations

Quick stats, landing page:

Events by API call / Workspace component

Google Workspace Auth Events:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Siem
Threat Intelligence
Google Cloud Platform
G Suite
Google Workspace

--

--

SOCFortress

Written by SOCFortress

3.6K Followers

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams