SourcesSource TypesGoogle Workspace Alerts

Google Workspace Alerts

Google Workspace Alert Center surfaces security alerts across your Google Workspace domain — phishing detections, data loss prevention (DLP) violations, device compromises, state-sponsored attack warnings, suspicious logins, and more. RunReveal polls the Alert Center API every 60 seconds and ingests each alert as an event.

Connecting Google Workspace Alerts requires a Google Workspace administrator who can:

  • Create a GCP service account and enable the Alert Center API
  • Perform domain-wide delegation in the Google Admin Console

Set Up a Google Cloud Project and Enable the Alert Center API

  1. Go to the Google Cloud Console.
  2. Create a new project or select an existing one.
  3. Navigate to APIs & Services > Dashboard.
  4. Click + ENABLE APIS AND SERVICES, search for Google Workspace Alert Center API, and enable it.
  5. Go to Credentials > + CREATE CREDENTIALS > Service account.
  6. Give the service account a descriptive name (e.g. runreveal-alerts) and click Create and Continue.
  7. Click on the service account, go to Keys > Add Key > Create new key > JSON. Download the JSON file — this is your credential file.

Grant Domain-Wide Delegation in Google Admin Console

  1. Go to the Google Admin Console.
  2. Navigate to Security > Access and data control > API controls.
  3. Under Domain wide delegation, click Manage Domain Wide Delegation.
  4. Click Add new and enter the Client ID of your service account (found in the service account’s details page in the GCP Console).
  5. In the OAuth Scopes field, enter: 
    https://www.googleapis.com/auth/apps.alerts
  6. Click Authorize.

Add the Google Workspace Alerts Source to RunReveal

In the RunReveal dashboard, select Google Workspace Alerts on the sources page.

  1. Give your source a descriptive name.
  2. Set the Subject field to the email address of a Google Workspace administrator in your domain. This is the account the service account will impersonate when calling the API.
  3. Either use the file picker to select your credential.json file, or paste its contents into the Credential text area.

Click Verify Settings and Connect to save your new source.

Verify It’s Working

Once added, alerts should begin flowing within a minute. You can validate that RunReveal is receiving your alerts by running the following SQL query in Log Explorer:

SELECT * FROM runreveal.logs WHERE sourceType = 'google-workspace-alerts' LIMIT 10

Alert Types

The Alert Center reports alerts from a variety of sources, including:

SourceExample Alert Types
Gmail phishingSuspicious email reported by user, Government-backed attack warning
Data Loss PreventionDLP rule violation
Mobile device managementDevice compromised, Suspicious device activity
Google identitySuspicious login, Account suspended
Google OperationsService notification
State-sponsored attackGovernment-backed attack warning

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: google_workspace_alerts_logs (47 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
dstCityString
ColumnType
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
alertIdString
customerIdString
alertTypeString
alertSourceString
severityString
createTimeString
startTimeString
endTimeString
updateTimeString
deletedString
dataString
ZendeskForwarders