Description

Google Workspace (formerly G Suite) Alert Center provides extensive visibility into threats detected in Workspace tenants. Admins can manage alerts more efficiently through the unified view that the alert center provides. Additionally, it provides insights that help them assess their organization’s exposure to internal and external security issues at the domain and user levels.

The alert center provides several out of the box alerts relating to activities such as phishing, user management, authentication and device management. Integrating these alerts into Elastic SIEM would provide analysts with the ability to correlate alerts from Workspace with other environmental data and signals. It would serve as a complimentary module to our existing Workspace integration, which is based on the Reports API.

Architecture

The Alert Center API can be used to ingest alerts and supporting information.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to:

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists