Overview
Blumira integrates with the Google Workspace productivity suite to stream security event logs and alerts to Blumira for threat detection and actionable response.
Required: Google Workspace licensing above Free Tier and an Admin user account.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Create a GCP Project
- With Google Workspace Admin permissions, go to the GCP Console: https://console.cloud.google.com.
- Create a GCP Project:
- Next to the Google Cloud Platform header, select New Project – Dropdown.
- Click New Project.
- In the New Project window, type a unique project name.
- Select the Organization you want to use (typically, the default is best).
- Enter the parent organization in the Location box if it is not pre-populated (usually matches the organization domain).
- Click Create.
- Create a GCP Service Account in the newly created project for fetching logs:
- In the Project dropdown menu, select the project you created.
- On the left toolbar, select IAM & Admin > Service Accounts.
- Select +Create Service Account at the top of the page.
- Type a unique service account name.
- Type a unique service account ID
- Type a service description.
- Click Create and continue.
- Select the dropdown Select A Role, then choose Service Account in the left column and Service Account Token Creator in the right column.
- Click Continue.
- Click Done at the bottom.
- Select your new service account from the list.
- Click the KEYS tab.
- Click Add Key > Create New Key.
- Select JSON format for the key. The JSON file should automatically download from your browser.
- Find your Client_ID:
- Open the JSON Key file on your local machine in a plain text editor (Notepad, Wordpad, Notepad++).
- Find the Client_ID and copy the number.
- Save the File to use it in later steps.
Enable Google APIs
- Enable the Google Admin SDK API:
- From the GCP Main Console Page, select the project you created in previous steps on the top left.
- Navigate to APIs & Services > Library.
- In the search bar, type Admin SDK.
- Select the Admin SDK API.
- Click Enable.
- Enable the Identity and Access Management (IAM) API:
- Return to the same API Library page as shown in the previous section.
- In the search bar, type IAM API.
- Select the Identity and Access Management (IAM) API.
- Click Enable.
Link APIs to Google Workspace
- Go to https://admin.google.com and log in as a global admin.
- In the left side toolbar, go to Security > Access and data control > API Controls.
- Scroll to the bottom section called “Domain-Wide Delegation”.
- Click Manage Domain Wide Delegation.
- Click Add New.
- In the Add a new Client ID window, enter the Client_ID number saved from the JSON file in previous steps.
- Copy and paste the following into the OAuth Scopes section: https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
- Click Authorize.
Note: Per Google's Delegation of Authority documentation, “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you must provide the email address of one of your Workspace users with admin console access so that the module can use the account to fetch your Google logs.
Configuring Blumira
To add a module on an existing sensor and provide credentials:
- In Blumira, click Settings.
- Click Sensors.
- Click the sensor on which you want to add a module.
- On the detail page for the sensor, scroll down and click Add Module.
- In the Add New Module window, select the newest version of this integration's module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
- Enter the credentials that you gathered in the "Before you begin" section above.
- (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the "device_address" column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
- Click Install.