I am trying to forward the alerts that are appearing in admin.google > Security > Alerts centre to a SOC.

My question is how can I explicitly send alerts to my SOC and not only audited_resource.

When I go to "Rules" and edit a rule, for example Suspicious login, it can only send the alerting to alert centre and email to users that are a part of my anization. The SOC is not part of my anization, so I am unsure on how to send the alerts to them.

The SOC tool can read email, read from Pub/Sub, read from Buckets etc.

---

I managed to send audited_resource by following the procedure below, but it does not send alerts, only audited_resource.

1 Enable data sharing in Workspace

Enable data sharing to store workspace logs in your GCP Go to /→ Account Setting → Legal and compliance → Sharing options → Enabled

2 Setup Project “SOC-Monitoring”

Go to console.cloud.google -> Create Project • Project name: SOC-Monitoring

3 Create a pub/sub

Go to SOC-Monitoring > Topics > + Create Topic

• Topic ID: workspace-to-soc

Keep default settings, which also auto creates subscription workspace-to-soc-sub.

4 Find the logs

Change from project view to , this is the top level, should be the same name as your domain and have a building/office icon besides it.

Go Project Level > Logging > Log Router > + Sink

• Sink name: workspace-logs-to-soc
• Sink description: Sends Google Workspace (admin.google) logs to SOC
• Sink destination: Other resource
• Path: pubsub.googleapis/projects/PROJECT_ID/topics/workspace-to-soc
• Choose logs: resource.type="audited_resource"

5 Create Google Cloud Service Account for SOC

Go to SOC-Monitoring > IAM > Service accounts > + Create Service Account

Service account details:

• Service account name: soc-read-from-pub-sub-to-soc
• Service account ID: soc-read-from-pub-sub
• Service account description: SOCreads data from topics and stores them so that the SOC can generate alerts on them

Grant role

• Role: Pub/Sub Subscriber

After service account is created, go back to service account and click the newly created account

Go to KEYS > ADD KEY > Create new key (JSON)

Copy and store the full JSON block.