search

airbnb / streamalert

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
https://streamalert.io
Apache License 2.0
2.86k stars 334 forks source link

Add additional G-Suite Admin Audit types. #1260

Closed gavinelder closed 4 years ago

gavinelder commented 4 years ago

cc: @airbnb/streamalert-maintainers

Background

When configuring the GSuite collector I noticed a number of additional audit endpoints had been added and upon investigation I noticed some further additions by Google not present in SA, The following PR adds these.

Changes

Addition of the following Audit endpoints.

  1. GCP
  2. Meet
  3. SAML

Notes

The SAML audit app was removed in https://github.com/airbnb/streamalert/pull/1046 as deprecated however I cannot see anything to suggest that Google has done this (This does not mean they have not undocumented changes is a normal google move) however I think this was replaced with the token app which has a similar feature set but is not a complete replacement.

Testing

Deployed confirmed ingestion, no rules written around these yet.

gavinelder commented 4 years ago

Should add some documentation for this but to setup the Gsuite collector.

Create a GSuite Service account with G-Suite delegation rights

In the above guide replace the scopes with 

https://www.googleapis.com/auth/admin.reports.audit.readonly