This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Ingesting Google workspace alerts troubleshooting

Posted on 04-23-2025 01:17 AM
b41s
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi all,

I'm following Google's documentation to ingest google workspace alerts via the Feed method. However i try to follow the principal of least privilege for the impersonation account. The documentation is a bit contradictive in my opinion due to the following:

1. A custom role needs to be created for the impersonation account (for google workspace alerts that should be: Privileges > Services > Alert Center > Full Access > View access)
2. But then it is still required to assign the super admin role to the impersonation account (making the custom role obsolete).

I performed troubleshooting with and without the super admin role & custom role and this results in the fact that the account really does need the super admin role to fetch alerts from alert center. See here an overview for reference:

1: API call without custom role and without super admin role: HTTP 403 Forbidden
2: API call with custom role but without super admin role: HTTP 200 + exit code 0 but does NOT fetch alerts.
3: API call with custom role AND super admin role (making custom role obsolete though): HTTP 200 + results > does fetch alerts.

Any guidance or tips to configure a (POLP) custom role without assigning the super admin role to the impersonation account? Thanks in advance.

Documentation reference: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs#before-you-... 

Solved Solved
1 3 527
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
b41s
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Haven't got a response from support but with a second phase of troubleshooting I've found the least privilege working solution for the impersonation account to be needing two roles (making the super admin role not necessary). This enables the collection of workspace alerts into secops SIEM:

 1. Privileges > Services > Alert Center > Full Access > View access

2. Privileges > Reports

Printscreen from admin console:

b41s_0-1746693601185.png

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kentphelps
Staff
Reply posted on --/--/---- --:-- AM

@b41s Have you worked with support at all on this issue?  It might help as they can review the GCP logs to see why you are getting the errors you are seeing in your scenarios 1 & 2.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
b41s
Bronze 1
Bronze 1
In response to kentphelps
Reply posted on --/--/---- --:-- AM

Thanks a lot @kentphelps for your reply, yes i'm in contact with support as we speak. Awaiting the follow-up steps.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
b41s
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Haven't got a response from support but with a second phase of troubleshooting I've found the least privilege working solution for the impersonation account to be needing two roles (making the super admin role not necessary). This enables the collection of workspace alerts into secops SIEM:

 1. Privileges > Services > Alert Center > Full Access > View access

2. Privileges > Reports

Printscreen from admin console:

b41s_0-1746693601185.png

 

Jump to Solution
0 Likes
Top Solution Authors
View all