Chronicle can collect and ingest logs from Google Workspace via an out-of-band collection method that ingests the log data via the Google Workspace Admin SDK APIs.
Workspace logs are broken into distinct categories.
- Users, Privileges: Contextual information used to correlate and enhance existing logs
- Mobile Devices: Contextual information related to managed mobile devices
- ChromeOS Devices: Contextual information related to managed ChromeOS devices
- Activities: Extensive range of activity (access, login, creation, deletion, etc.) across Workspace Apps*
- Alerts: Workspace generated violations
Collection schedule
- Users , Privileges, Mobile Devices, ChromeOS Devices : once every 24 Hours
- Activities and alerts: Every 1 hour
Instructions
NOTE: - Super Admin role is required for GCP account to perform this activity.
Step 1: Enable Admin SDK API and Google Workspace Alert center API in a GCP project.
- In your GCP Console, go to APIs and services, select a project or create a new project.
- Click Library
3. Search for Admin SDK API and then click ENABLE
4. Repeat for Google Workspace Alert Center API
Step 2: Create a service account which is used to authenticate with Workspace APIs.
- In your GCP Console go to IAM & Admin -> Service Accounts
- Click Create Service Account
- Give the service account a name and click DONE at the bottom
- Click the newly created service account
- Take note of the Unique ID on this screen
- Select KEYS
- Click ADD Key -> Create new key
- Select JSON and click Create
- Save this JSON key
Step 3: Create a Domain-wide delegation API control for the service account created in step 2 and grant the required scopes to access the data.
- Login to the Google Admin console (admin.google.com)
- Select Security -> Access and Data Controls -> API Controls -> Domain-wide delegation and then click Manage Domain-Wide Delegation
- Click ADD NEW
- Enter the Client ID obtained in Step 2, v)
- For OAuth scopes, enter the list of scopes from below:
- https://www.googleapis.com/auth/apps.alerts,
- https://www.googleapis.com/auth/admin.directory.user.readonly,
- https://www.googleapis.com/auth/admin.directory.group.readonly,
- https://www.googleapis.com/auth/admin.reports.audit.readonly,
- https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
- https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
- Click Authorize
Step 4: Create a user who is used for impersonation and grant the user the required privileges.
- In Google Admin console, go to Directory -> Users, and Add new user, name the user and create a primary email address, click Create, then Done
- Click on the newly created user
3. Click Admin roles and privileges
4. In the Roles selection, on the top right, click on the pencil icon
5. Click Create Custom Role
6. Click Create new role
7. Give this role a name
8. Check the following privilege boxes:
-
- Under Admin console privileges -> Reports
- Under Admin console privileges -> Services - >Alert center -> View access
- Under Admin console privileges -> Services -> Mobile Device Management -> Manage Device and Settings
- Under Admin console privileges -> Chrome Management -> Settings Under Admin API privileges -> Users -> Read
- Under Admin API privileges -> Groups -> Read
9. Click Continue
10. Click Assign users and find the newly created user then, click Assign Role
Step 5: Locate your Workspace customer ID in your Google Admin console. Go to Account -> Account Settings -> Profile
Step 6: Share the following items with your Google Chronicle team to proceed with configuring of the Google Workspace integration:
- JSON token (Step 2 ix)
- User email (Step 4 i)
- Customer ID (Step 5)
Configuration in Chronicle
- Go to settings on Chronicle Homepage and select Feeds and then Add New.
- Select Source type as Third party API and Log type as Workspace activities, Click Next.
- For workspace Alerts only, Add the Customer ID as mentioned below (without ‘C’):
Add the following information in the feeds section as mentioned in the screenshot below:
- OAuth JWT endpoint {Token URI from json file}
- JWT claims issuer (Client ID from Json file)
- JWT claims subject {add primary email address of user created }
- JWT claims audience (Project ID from Json file)
- RSA private key
- Customer ID (from GCP account)
- Click Next and Submit.
Comments
0 comments
Please sign in to leave a comment.