Overview
Blumira integrates with the Google Workspace productivity suite to stream security event logs and alerts to Blumira for threat detection and actionable response.
Required: Google Workspace licensing above Free Tier and an Administrator user account.
Configuring Google Workspace and gathering your credentials
Before you can configure the Blumira Cloud Connector, you must complete the following procedures:
# | Procedure |
1 | Create a GCP project for your organization's workspace |
2 |
Create a service account and gather the JSON key file Note: You will use this JSON in the Blumira Cloud Connector configuration. |
3 | Enable Admin SDK and IAM APIs for the project |
4 | Link APIs to the service account |
Create a GCP project for your organization's workspace
- With Google Workspace Admin permissions, go to the GCP Console: https://console.cloud.google.com.
- Next to the Google Cloud Platform header, click Select a project.
- Click New Project.
- In the Project Name box, type a unique project name.
- In the Billing account box, select the appropriate account.
- Verify that the default Organization and Location values are correct, or edit these if needed.
- Click Create.
Create a service account and gather the JSON key file
To create a GCP Service Account in the newly created project for fetching logs:
- In the Project dropdown menu, select the project you created.
- On the left toolbar, select IAM & Admin > Service Accounts.
- Select +Create Service Account at the top of the page.
- Type a unique service account name.
- Type a unique service account ID.
- Type a service description.
- Click Create and continue.
- Select the dropdown Select A Role, then click Service Account in the left column and Service Account Token Creator in the right column.
- Click Continue.
- Click Done at the bottom.
- Select your new service account from the list.
- Click the KEYS tab.
- Click Add Key, then click Create New Key.
- Select JSON format for the key. The JSON file should automatically download from your browser.
- Open the JSON Key file on your local machine in a plain text editor.
Note: You will copy and paste the entire contents of this JSON file into the Blumira Cloud Connector configuration window in Step 5 of Configuring Blumira, below. - Find the Client_ID and copy the number to use in Step 6 of Link APIs to the service account.
Enable Admin SDK and IAM APIs for the project
- Enable the Google Admin SDK API:
- From the GCP Main Console Page, select the project you created in the previous steps on the top left.
- Navigate to APIs & Services > Library.
- In the search bar, type Admin SDK.
- Select the Admin SDK API.
- Click Enable.
- Enable the Identity and Access Management (IAM) API:
- Return to the same API Library page as shown in the previous section.
- In the search bar, type IAM API.
- Select the Identity and Access Management (IAM) API.
- Click Enable.
Link APIs to the service account
- Log in to https://admin.google.com as a global administrator.
- In the left side toolbar, navigate to Security > Access and data control > API Controls.
- Scroll to the bottom section called “Domain-Wide Delegation.”
- Click Manage Domain Wide Delegation.
- Click Add New.
- In the Add a new Client ID window, enter the Client_ID number saved from the JSON file in the previous steps.
- Copy and paste the following into the OAuth Scopes section: https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
- Click Authorize.
Important: Per Google's Delegation of Authority documentation, “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you must provide the email address of one of your Workspace users with admin console access so the module can use the account to fetch your Google logs.
Configuring Blumira
After you obtain your integration's configuration parameters, enable Blumira to collect your logs by configuring the Cloud Connector in the app.
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure the Blumira Cloud Connector:
- In the Blumira app, navigate to Settings > Cloud Connectors.
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector you want to add.
- In the Cloud Connector Name box, type a name to help identify the specific integration.
- Enter the credentials that you collected in the previous steps.
- Click Connect.
Note: Some Google event logs take longer to reach the Cloud connector than others. See Google's Data retention and lag time for a full list of log types and their lag times.