Overview
Blumira integrates with the Google Workspace productivity suite to stream security event logs and alerts to Blumira for threat detection and actionable response.
Required: Google Workspace licensing above Free Tier and an Administrator user account.
Configuring Google Workspace and gathering your credentials
Before you can configure the Blumira Cloud Connector in the app, you must complete the following procedures and gather your Google Workspace account credentials:
# | Procedure |
1 | Create a GCP project for your organization's workspace |
2 |
Create a service account and gather the JSON key file Note: You will use this JSON in the Blumira Cloud Connector configuration. |
3 | Enable Admin SDK and IAM APIs for the project |
4 | Link APIs to the service account |
Create a GCP project for your organization's workspace
- With Google Workspace Admin permissions, go to the GCP Console: https://console.cloud.google.com.
- Next to the Google Cloud Platform header, click Select a project.
- Click New Project.
- In the Project Name box, type a unique project name.
- In the Billing account box, select the appropriate account.
- Verify that the default Organization and Location values are correct, or edit these if needed.
- Click Create.
Create a service account and gather the JSON key file
To create a GCP Service Account in the newly created project for fetching logs:
- In the Project dropdown menu, select the project you created.
- On the left toolbar, select IAM & Admin > Service Accounts.
- Select +Create Service Account at the top of the page.
- Type a unique service account name.
- Type a unique service account ID.
- Type a service description.
- Click Create and continue.
- Select the dropdown Select A Role, then click Service Account in the left column and Service Account Token Creator in the right column.
- Click Continue.
- Click Done at the bottom.
- Select your new service account from the list.
- Click the KEYS tab.
- Click Add Key, then click Create New Key.
Note: If you see a "Service account key creation is disabled" error at this step, you can modify the policy as long as you have the Organization Policy Administrator role by doing the following:
- Navigate to the IAM & Admin and then click Organization Policy.
- Find the policy called Disable service account key creation.
- Click Manage Policy.
- In the Edit policy window, select Override parent’s policy.
- Under Enforcement, select Off.
- Click Set policy.
- Allow at least 15 minutes for the change to process in Google, then retry adding the key.
- Select JSON format for the key. The JSON file should automatically download from your browser.
- Open the JSON Key file on your local machine in a plain text editor.
Note: You will copy and paste the entire contents of this JSON file into the Blumira Cloud Connector configuration window in Step 5 of Configuring Blumira, below. - Find the Client_ID and copy the number to use in Step 6 of Link APIs to the service account.
Enable Admin SDK and IAM APIs for the project
- Enable the Google Admin SDK API:
- From the GCP Main Console Page, select the project you created in the previous steps on the top left.
- Navigate to APIs & Services > Library.
- In the search bar, type Admin SDK.
- Select the Admin SDK API.
- Click Enable.
- Enable the Identity and Access Management (IAM) API:
- Return to the same API Library page as shown in the previous section.
- In the search bar, type IAM API.
- Select the Identity and Access Management (IAM) API.
- Click Enable.
Link APIs to the service account
- Log in to https://admin.google.com as a global administrator.
- In the left side toolbar, navigate to Security > Access and data control > API Controls.
- Scroll to the bottom section called “Domain-Wide Delegation.”
- Click Manage Domain Wide Delegation.
- Click Add New.
- In the Add a new Client ID window, enter the Client_ID number saved from the JSON file in the previous steps.
- Copy and paste the following into the OAuth Scopes section: https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
- Click Authorize.
Important: Per Google's Delegation of Authority documentation, “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you must provide the email address of one of your Workspace users with admin console access so the module can use the account to fetch your Google logs.
Configuring the Blumira Cloud Connector
After you obtain your integration's configuration parameters, enable Blumira to collect your logs by configuring the Cloud Connector in the app.
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure the Blumira Cloud Connector:
- In the Blumira app, navigate to Settings > Cloud Connectors.
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector you want to add.
- In the Cloud Connector Name box, type a name to help identify the specific integration.
- Enter the credentials that you collected in the previous steps.
- Click Connect.
Note: Some Google event logs take longer to reach the Cloud connector than others. See Google's Data retention and lag time for a full list of log types and their lag times.
Testing detections
Now that your Cloud Connector is configured wait at least 15 minutes for detection rules to automatically be deployed to your account, then use our testing procedures to trigger test detections that you can resolve in the app. See Testing Google Workspace detections for steps.