[google_workspace] Add support for Alert Data Stream

packages/google_workspace/_dev/build/docs/README.md

@@ -24,12 +24,89 @@ In order to ingest data from the Google Reports API you must:
 - [Set up access to the Admin SDK API](https://support.google.com/workspacemigrate/answer/9222865?hl=en) for the ServiceAccount.
 - [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for your ServiceAccount.
 
-This module will make use of the following *oauth2 scope*:
+This integration will make use of the following *oauth2 scope*:
 
 - `https://www.googleapis.com/auth/admin.reports.audit.readonly`
 
 Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration.
 
+Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `admin`, `drive`, `groups`, `login`, `saml`, and `user accounts` logs.
+
+# Google Workspace Alert
+
+The [Google Workspace](https://developers.google.com/admin-sdk/alertcenter) Integration collects and parses data received from the Google Workspace Alert Center API using HTTP JSON Input.
+
+## Compatibility
+
+- Alert Data Stream has been tested against `Google Workspace Alert Center API (v1)`.
+
+- Following Alert types have been supported in the current integration version:
+    1. Customer takeout initiated
+    2. Malware reclassification
+    3. Misconfigured whitelist
+    4. Phishing reclassification
+    5. Suspicious message reported
+    6. User reported phishing
+    7. User reported spam spike
+    8. Leaked password
+    9. Suspicious login
+    10. Suspicious login (less secure app)
+    11. Suspicious programmatic login
+    12. User suspended
+    13. User suspended (spam)
+    14. User suspended (spam through relay)
+    15. User suspended (suspicious activity)
+    16. Google Operations
+    17. Configuration problem
+    18. Government attack warning
+    19. Device compromised
+    20. Suspicious activity
+    21. AppMaker Default Cloud SQL setup
+    22. Activity Rule
+    23. Data Loss Prevention
+    24. Apps outage
+    25. Primary admin changed
+    26. SSO profile added
+    27. SSO profile updated
+    28. SSO profile deleted
+    29. Super admin password reset
+    30. Account suspension warning
+    31. Calendar settings changed
+    32. Chrome devices auto-update expiration warning
+    33. Customer takeout initiated
+    34. Drive settings changed
+    35. Email settings changed
+    36. Gmail potential employee spoofing
+    37. Mobile settings changed
+    38. New user added
+    39. Reporting Rule
+    40. Suspended user made active
+    41. User deleted
+    42. User granted Admin privilege
+    43. User suspended (spam)
+    44. User's Admin privileges revoked
+    45. Users password changed
+    46. Google Voice configuration problem detected
+
+
+## Requirements
+
+In order to ingest data from the Google Alert Center API, you must:
+
+- Have an *administrator account*.
+- [Set up a ServiceAccount](https://support.google.com/workspacemigrate/answer/9222993?hl=en) using the Administrator Account.
+- [Set up access to the Admin SDK API](https://support.google.com/workspacemigrate/answer/9222865?hl=en) for the ServiceAccount.
+- [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for the ServiceAccount.
+
+This integration will make use of the following *oauth2 scope*:
+
+- `https://www.googleapis.com/auth/apps.alerts`
+
+Once Service Account credentials are downloaded as a JSON file, then the integration can be setup to collect data.
+
+
+>  Note: The default value of the "Page Size" is set to 1000. This option is available under 'Alert' Advance options. Set the parameter "Page Size" according to the requirement. For Alert Data Stream, The default value of "Alert Center API Host" is `https://alertcenter.googleapis.com`. The Alert Center API Host will be used for collecting alert logs only.
+
 ## Logs
 
 ### Google Workspace Reports ECS fields
@@ -94,3 +171,11 @@ This is the `groups` dataset.
 {{event "groups"}}
 
 {{fields "groups"}}
+
+### Alert
+
+This is the `alert` dataset.
+
+{{event "alert"}}
+
+{{fields "alert"}}

packages/google_workspace/_dev/deploy/docker/config.yml

@@ -15,6 +15,22 @@ rules:
         body: |
           {"access_token": "1/fFAGRNJru1FTz70BzhT3Zg","expires_in": 3920,"token_type": "Bearer",
           "scope": "https://www.googleapis.com/auth/admin.reports.audit.readonly","refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"}
+  - path: /v1beta1/alerts
+    methods: [GET]
+    query_params:
+      filter: "{createTime:.*}"
+    request_headers:
+      Accept:
+        - "application/json"
+      Authorization:
+        - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |
+          {"alerts":[{"alertId":"91840a82-3af0-46d7-95ec-625c1cf0c3f7","createTime":"2022-07-01T10:49:29.436394Z","customerId":"02umwv6u","data":{"@type":"type.googleapis.com/google.apps.alertcenter.type.MailPhishing","domainId":{"customerPrimaryDomain":"example.com"},"maliciousEntity":{"entity":{"emailAddress":"example@example.com","displayName":"example"},"fromHeader":"header@example.com","displayName":"string"},"messages":[{"attachmentsSha256Hash":["50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2"],"date":"2022-07-01T10:38:13.194711Z","md5HashMessageBody":"d29343907090dff4cec4a9a0efb80d20","md5HashSubject":"a3708f8228384d932237f85980ff8283","messageBodySnippet":" hi greetings from sales ","messageId":"decedih843@example.com","recipient":"example@example.com","subjectText":"Sales"},{"attachmentsSha256Hash":["5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56"],"md5HashMessageBody":"d29343907090dff4cec4a9a0efb80d20","md5HashSubject":"a3708f8228384d932237f85980ff8283","messageBodySnippet":" hi greetings ","messageId":"decedih@example.com","recipient":"example@example.com","subjectText":"RE: Example salesorderspca JSON request"}],"isInternal":true,"systemActionType":"NO_OPERATION"},"endTime":"2022-07-01T10:47:04.530834Z","etag":"wF2Ix2DWDv8=","metadata":{"alertId":"91840a82-3af0-46d7-95ec-625c1cf0c3f7","customerId":"02umwv6u","etag":"wF2Ix2DWDv8=","assignee":"example@example.com","severity":"HIGH","status":"NOT_STARTED","updateTime":"2022-07-01T10:49:29.436394Z"},"securityInvestigationToolLink":"string","deleted":false,"source":"Gmail phishing","startTime":"2022-07-01T10:38:13.194711Z","type":"User reported phishing","updateTime":"2022-07-01T10:49:29.436394Z"}]}
   - path: /admin/reports/v1/activity/users/all/applications/admin
     methods: [GET]
     query_params:

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: Add New Alert Data Stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3837
 - version: "1.7.1"
   changes:
     - description: Use ECS geo.location definition.