This article explains how to ingest your Gsuite Activities and Alerts logs to Hunters. Following the guide bellow will allow Hunters to collect your Gsuite logs and ingest them to our database in a predefined schema, and then use these logs in our dedicated hunting mechanism.
Supported data types
- Gsuite Activities: logs for various Gsuite applications (admin, calendar, drive etc.). Full list of applications can be found here.
- Gsuite Alerts: alerts created by Gsuite (e.g. 'Spike in user reported spam', 'Suspicious device activity'). Full list can be found here.
- Gsuite Directory Users: a snapshot of all users in the Gsuite account (schema can be found here).
Sending data to Hunters
In order to enable Hunters' collection & ingestion of Gsuite for your account, follow the next steps:
- Create a new Google Project, named 'Hunters Gsuite Ingesion', following Steps 1-3 in this guide. In particular, during Step 2 enable the 2 APIs:
Admin SDK API&
Google Workspace Alert Center API.
- In this project, create a new Service Account, by following Step 4 in the same guide.
- Following this guide, add the following Scopes to the Service account:
- Generate a credentials file for the service account in a JSON format and supply Hunters this file.
- The Gsuite Service Account requires an impersonation email address to be used in the API querying. Hence, please also provide an email address only (WITHOUT credentials) of a google account that has Admin privileges in your Gsuite account. For sustainability purposes, this email account should be permanent and not deleted in the future.
Data Collection Hermeticity
According to various sources (e.g. here), the internal reporting mechanism in several Google Applications has delay. To cope with this issue, we collect the events using the API with an inherent 1 hour delay. Even so, the ingestion may result in gaps in the ingested data.