Wazuh wodle that integrates all Google Workspace audit events (including Drive, Groups, Calendar, SAML and Admin).
Advantages with respect to the standard Google GCP integration provided by Wazuh:
- does not require complex Pub / Sub configuration
- integrates all auditable Google Workspace events / product types visible in Google Workspace Reporting (i.e. Drive, Calendar, Admin, etc)
- integrates the alerts visible in Google Workspace Alert Center
- includes rules with sensible levels (based on the equivalent actions in the O365 integration)
- only covers Google Workspace audit events and Google Workspace Alert Center, not GCP
- batch-driven instead of event-driven, resulting in a delay between the event and it's recovery
- the
@timestampof events is the moment of injection, not the moment of the event, which is stored indata.timestamp - tested on an organisation with 100 users (if you have successfully deployed on a bigger organisation, please let me know)
Just follow the installation procedure several times. So:
- create a service account in each tenant
- create separate directories
- /var/ossec/wodles/gworkspace-tenant-A/
- /var/ossec/wodles/gworkspace-tenant-B/
- etc
- create the respective service accounts, and place them in the
service_account_key.jsonof their directories. - in
ossec.confcreate separate<wodle>entries, where the<command>is changed:
<wodle name="command">
<disabled>no</disabled>
<tag>gworkspace</tag>
<command>/var/ossec/wodles/gworkspace-tenant-A/gworkspace -a all -o 2</command>
<interval>10m</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
All the events include a data.gworkspace.customerIdthat identifies the Google Workspace customer. If you want a specific label you can add a <tag>name</tag> to the ossec.conf.