Integrating with Google Workspaces

Overview

Blumira integrates with the Google Workspace productivity suite to stream security event logs and alerts to Blumira for threat detection and actionable response.

Required: Google Workspace licensing above Free Tier and an Admin user account.

Configuring Google Workspace and gathering your credentials

Before you can configure the Blumira Cloud Connector, you must complete the following procedures:

Create a GCP project for your organization's workspace

1. With Google Workspace Admin permissions, go to the GCP Console: https://console.cloud.google.com.
2. Next to the Google Cloud Platform header, select New Project – Dropdown.
3. Click New Project.
4. In the New Project window, type a unique project name.
5. Select the Organization you want to use (typically, the default is best).
6. Enter the parent organization in the Location box if it is not pre-populated (usually matches the organization domain).
7. Click Create.

Create a service account and gather the JSON key file

To create a GCP Service Account in the newly created project for fetching logs:

1. In the Project dropdown menu, select the project you created.
2. On the left toolbar, select IAM & Admin > Service Accounts.
3. Select +Create Service Account at the top of the page.
4. Type a unique service account name.
5. Type a unique service account ID.
6. Type a service description.
7. Click Create and continue.
8. Select the dropdown Select A Role, then choose Service Account in the left column and Service Account Token Creator in the right column.
9. Click Continue.
10. Click Done at the bottom.
11. Select your new service account from the list.
12. Click the KEYS tab.
13. Click Add Key > Create New Key.
14. Select JSON format for the key. The JSON file should automatically download from your browser.
    Note: You will need the JSON file in later steps.
15. Open the JSON Key file on your local machine in a plain text editor (Notepad, Wordpad, Notepad++).
16. Find the Client_ID and copy the number to use in Step 6 of Link APIs to the service account.

Enable Admin SDK and IAM APIs for the project

• Enable the Google Admin SDK API:
  1. From the GCP Main Console Page, select the project you created in the previous steps on the top left.
  2. Navigate to APIs & Services > Library.
  3. In the search bar, type Admin SDK.
  4. Select the Admin SDK API.
  5. Click Enable.
• Enable the Identity and Access Management (IAM) API:
  1. Return to the same API Library page as shown in the previous section.
  2. In the search bar, type IAM API.
  3. Select the Identity and Access Management (IAM) API.
  4. Click Enable.

Link APIs to the service account

1. Log in to https://admin.google.com as a global admin.
2. In the left side toolbar, go to Security > Access and data control > API Controls.
3. Scroll to the bottom section called “Domain-Wide Delegation”.
4. Click Manage Domain Wide Delegation.
5. Click Add New.
6. In the Add a new Client ID window, enter the Client_ID number saved from the JSON file in the previous steps.
7. Copy and paste the following into the OAuth Scopes section: https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
8. Click Authorize.
   Important: Per Google's Delegation of Authority documentation, “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you must provide the email address of one of your Workspace users with admin console access so the module can use the account to fetch your Google logs.

Configuring Blumira

After you obtain your integration's configuration parameters, enable Blumira to collect your logs by configuring either the sensor module or the cloud connector in the app. 

Note: The Google Workspace Cloud Connector is currently in beta for paid editions only.

Using the sensor module

The sensor-based integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

To add a module on an existing sensor and provide credentials:

1. In Blumira, click Settings.
2. Click Sensors.
3. Click the sensor on which you want to add a module.
4. On the detail page for the sensor, scroll down and click Add Module.
5. In the Add New Module window, select the relevant module.
6. Enter the credentials that you gathered in previous steps.
7. (Optional) Type a name for this log deployment in the Log Source Name box.
   Note: Use alphanumeric characters, periods, and hyphens. Spaces and underscores are not allowed. This name will appear in the "device_address" column in the results of your event data queries. If you add more modules to collect logs for other integrations, this name will help you to identify them. 
8. Click Install.

Beta: Google Workspace Cloud Connector

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.

To configure your integration with Blumira Cloud Connector:

1. In the Blumira app, navigate to Settings > Cloud Connectors.
2. Click + Add Cloud Connector.
3. In the Available Cloud Connectors window, click the connector that you want to add.
4. If you want to change the name of the connector, type the new name in the Cloud Connector Name box.
5. Enter the API credentials that you collected in the "Before you begin" section above.
6. Click Connect.
7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).

Important: If you previously deployed a sensor module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.