Blink Automation Library: 5K+ DevOps and SecOps Automations

On New API Access to Google Workspace - Ask User for Reason and Approval from Security Team

This automation asks the user for a reason and approval from the security team on new API access to Google Workspace. Google Workspace carries a large amount of sensitive data and can be accessed from almost any device by a mass of users, thus posing a risk to privacy and sensitive information. Monitoring the access via a third side party to your Google Workspace can be crucial in securing user privacy and corporate data in subscription-based cloud applications. The default is blocking any new API access, and approving or later on whitelisting the calls by the security team.

Breakdown

When an alert is received, get alert details from reports.
Inform and ask the user for a reason to the API call.
Inform and ask for approval from the relevant SecOps personnel about the API call.
If denied, inform the user and refer him to relevant SecOps.

TRIGGER: Event-based

On New Alert

Steps

Important note:

The API call detection is available only to some premium versions of Google Workspace. Make sure you have the correct version, if not an alternative is to detect only new 'grant' API calls (meaning an authentication to the API was granted).

Setting up the automation:

In your Google Admin console, create a reporting rule. The rule will be created in the rule section, on the OAuth event log with the following condition: Attribute: event, Operator: is, Event: API call This will report to the alert center in your admin console about a new API call. For more details please refer to: https://support.google.com/a/answer/9275024?hl=en#:~:text=Sign%20in%20to%20your%20Google,and%20click%20Create%20activity%20rule.&text=From%20the%20Admin%20console%20Home%20page%2C%20go%20to%20Rules%2C%20and,then%20click%20Create%20rule%20%3E%20Activity.
Make sure your connection in the trigger part has the following scope: https://www.googleapis.com/auth/apps.alerts
In order to automatically block the API access, please refer to steps 3 and 4 in the documentation: https://support.google.com/a/answer/7281227?hl=en#zippy=%2Cblock-all-third-party-api-access%2Cstep-control-api-access%2Cbefore-you-begin-review-authorized-third-party-apps. These steps allow you to block any API access to your Google Workspace and to whitelist approved apps automatically.
Set the SecOps personnel email to report to in the first step.

Set VariableSecOps_personnel_emailtoexample@domain.com

Get the alert from reports for more details

Informing and asking for a reason about the API call from the user

Notify the user about the API call and request for a reason and approval

Informing and asking for a approval of the API call from the relevant SecOps personnel

Ask for approval from the SecOps personnel

4 | answer

EqualsDeny

Inform the user about not approving the API call

End

OUTPUTS

No outputs