Integrate Google Alert Center with Google SecOps

This document explains how to integrate the Google Alert Center with Google Security Operations (Google SecOps).

Integration version: 8.0

In the Google SecOps platform, the integration for the alert center is called Google Alert Center.

Use cases

Integrating the alert center with Google SecOps can help you solve the following use cases:

  • Phishing campaign detection: use the Google SecOps capabilities to ingest the alert center notifications about potential phishing emails targeting your organization. Google SecOps can trigger automated workflows to investigate the emails, block malicious URLs, and quarantine affected user accounts.

  • Data exfiltration attempt: use the Google SecOps capabilities to trigger automated incident response, isolate the affected systems, block the malicious actors, and initiate forensic analysis.

  • Malware detection: use the Google SecOps capabilities to quarantine the infected devices, initiate malware scans, and deploy patches.

  • Vulnerability Identification: use the Google SecOps capabilities to automatically process the alerts about newly discovered vulnerabilities that affect your organization's systems, prioritize patching efforts, initiate vulnerability scans, and inform relevant teams.

Before you begin

Before you configure the Google Alert Center integration, make sure you have the following ready:

  1. Enable the required API.
  2. Create a service account and credentials.
  3. Assign the Alert Center Viewer role to the service account.
  4. Delegate domain-wide authority to your service account.

Enable the Google Workspace Alert Center API

To enable the Google Workspace Alert Center API, you must do so within your project in the Google Cloud console.

  1. Go to APIs & Services > Library.

  2. Search for and select the Google Workspace Alert Center API.

  3. Click Enable.

Create a service account

To allow the integration to securely access your Google Alert Center data, you must create a service account in the Google Cloud console to serve as its identity.

For guidance on creating a service account, see Create service accounts.

Create a service account JSON key

To create a JSON key, complete the following steps:

  1. Select the service account you created and go to Keys.

  2. Click Add key > Create new key.

  3. Select JSON as the key type and click Create. The private key automatically downloads to your computer and a confirmation dialog appears, reminding you to store the key securely.

  4. Locate the client_id within the JSON file and copy it for later use when you delegate domain-wide authority to your service account.

Assign the Alert Center Viewer role to your service account

  1. In the Google Cloud console, go to IAM & Admin > IAM.

  2. Locate your service account in the list and click Edit next to its name.

  3. In the Role menu, add the Alert Center Viewer role.

  4. Save the changes.

Delegate domain-wide authority to your service account

To allow the service account to access your users' data, you must grant it domain-wide authority in your Google Admin console.

  1. From your domain's Google Admin console, go to Main menu > Security > Access and data control > API controls.

  2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

  3. Click Add new.

  4. In the Client ID field, enter the client ID found in the JSON key you created (client_id).

  5. In the OAuth Scopes field, enter the following scope:

    https://www.googleapis.com/auth/apps.alerts

  6. Click Authorize.

Configure the integration for the alert center in Google SecOps

The integration requires the following parameters:

Parameter Description
Service Account JSON Secret Required

The full JSON content of the service account file that you used for authentication to the alert center.
Impersonation Email Address Required

The email address to impersonate a user with access to the alert center. To configure this parameter, enter the administrator email address. The data from the alert center is available only to administrators.
Verify SSL Optional

If selected, the integration verifies that the SSL certificate for connecting to the alert center is valid.

Selected by default.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action.

Delete Alert

Use the Delete Alert action to delete an alert in the alert center.

After deleting an alert, you can recover it for 30 following days. You can't recover an alert that you deleted more than 30 days ago.

This action doesn't run on Google SecOps entities.

Action inputs

The Delete Alert action requires the following parameters:

Parameter Description
Alert ID Required

The ID of the alert to delete.

Action outputs

The Delete Alert action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Delete Alert action can return the following output messages:

Output message Message description

Successfully deleted alert with ID RECORD_ID in the alert center.

Alert with ID RECORD_ID doesn't exist in the alert center.

 The action succeeded.
Error executing action "Delete Alert". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Delete Alert action:

Script result name Value
is_success True or False

Ping

Use the Ping action to test the connectivity to the alert center.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action can return the following output messages:

Output message Message description
Successfully connected to the alert center server with the provided connection parameters! The action succeeded.
Failed to connect to the alert center server! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Ping action:

Script result name Value
is_success True or False

Connectors

For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).

Google Alert Center – Alerts Connector

Use the Google Alert Center – Alerts Connector to retrieve information about alerts from the alert center.

The dynamic list filter works with the type parameter.

The Google Alert Center – Alerts Connector requires the following parameters:

Parameter Description
Product Field Name Required

The name of the field where the product name is stored.

The default value is source.
Event Field Name Required

The field name used to determine the event name (subtype).

The default value is type.
Environment Field Name Optional

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is set to the default environment.

The default value is "".
Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
PythonProcessTimeout Required

The timeout limit in seconds for the Python process that runs the current script.

The default value is 180.
Service Account JSON Secret Required

The full JSON content of the service account file that you used for authentication to the alert center.
Impersonation Email Address Required

The email address to impersonate a user with access to the alert center. To configure this parameter, enter the administrator email address. The data from the alert center is available only to administrators.
Verify SSL Optional

If selected, the integration verifies that the SSL certificate for connecting to the alert center is valid.

Selected by default.
Max Hours Backwards Optional

A number of hours before the first connector iteration to retrieve responses from. This parameter applies either to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp.

The default value is 1 hour.
Max Alerts To Fetch Optional

The maximum number of alerts to retrieve for every connector iteration.

The maximum number is 100.
Lowest Severity To Fetch Optional

The lowest severity of alerts to retrieve.
Use whitelist as a blacklist Optional

If selected, the connector uses the dynamic list as a blocklist.

Not selected by default.
Proxy Server Address Optional

The address of the proxy server to use.
Proxy Username Optional

The proxy username to authenticate with.
Proxy Password Optional

The proxy password to authenticate with.

Connector rules

The connector supports proxies.

Need more help? Get answers from Community members and Google SecOps professionals.