Help Documentation

Cloud Detection and Response

Google Workspace Monitoring

Updated Sep 27, 2023

Configure Google Workspace cloud monitoring

Arctic Wolf® uses Google Workspace® APIs to monitor your Google Workspace and alert you about suspicious or malicious activity.

Note: Google Workspace endpoints may have a reporting latency of up to four hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See Data retention and lag times in the Google Workspace documentation for more information.

To implement this monitoring, you must provide this information to Arctic Wolf:

Requirements

Note: Arctic Wolf requires an administrator username, but not the password, because the service account created for Arctic Wolf monitoring impersonates this administrator when interacting with the Google Admin SDK Reports API to retrieve Google Workspace events. See Perform Google Workspace Domain-Wide Delegation of Authority in the Google Workspace documentation for more information about the required impersonation.

Steps

  1. Create a project
  2. Enable APIs
  3. Create a service account
  4. Enable domain-wide delegation
  5. Provide credentials to Arctic Wolf

Step 1: Create a project

  1. If you have not already done so, sign in to the Google Cloud Console using administrator credentials.

  2. In the Select from menu, Select from menu, select the organization that you want Arctic Wolf to monitor. Then, select NEW PROJECT.

  3. On the New Project page, complete these steps:

    • Project name — Enter a short, descriptive name, such as Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, under Project name, select the Edit option. Then, replace the automatically generated value with the unique identifier that you prefer.
    • Organization — Make sure that the selected option is the organization that you want Arctic Wolf to monitor.
    • Location — (Optional) Select BROWSE to view potential locations for your project within the folder structure. Then, choose a location.

    Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID somewhere safe for use later.

  5. Click CREATE to create the new project.

Step 2: Enable APIs

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. From the main menu, select APIs & Services > Library.

  3. Enable the Admin SDK API in the project:

    1. In the search field, type Admin SDK API.
    2. In the search results, click Admin SDK API.
    3. Click ENABLE.

Step 3: Create a service account

  1. If you have not already done so, sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, verify that these items are selected:

    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously, such as Arctic Wolf Monitoring.

  3. From the main menu, select IAM & Admin > Service Accounts.

  4. Click + CREATE SERVICE ACCOUNT.

  5. In the Service account details section, complete these steps:

    • Service account name — Enter a short, descriptive name, such as arctic-wolf-service-account.

    • Service account ID — (Optional) Enter a unique ID for the service account, such as arcticwolfmonitoring.

      Tip: A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account, such as Used for Arctic Wolf monitoring.

  6. Click DONE.

  7. In the Grant users access to this service account (optional) section, leave the Service account users role and Service account admins role boxes blank.

  8. Click DONE. The service account is now listed on the Service accounts page.

  9. Find the service account that you created for the Arctic Wolf monitoring service.

  10. Complete these steps:

    1. Expand the Actions menu for the service account, and click Manage keys.
    2. Select ADD KEY > Create new key.
    3. In the dialog box, click JSON for the key type.
    4. Click CREATE. The JSON file containing the service account credentials automatically downloads to your computer.

  11. Record the name and filepath of the JSON download for later.

Step 4: Enable domain-wide delegation

  1. Return to the Service accounts page.

  2. Find the service account that you created for the Arctic Wolf monitoring service.

  3. Complete these steps:

    1. Expand the Actions menu, and then click Manage details.

    2. Click Advanced settings, and then scroll to the Domain-wide Delegation section.

      Note: A Google Workspace Marketplace OAuth Client is not required.

    3. Copy the Client ID value to your clipboard.

    4. Click VIEW GOOGLE WORKSPACE ADMIN CONSOLE. This opens the Google Admin Console in a new tab or window. If prompted, sign in to the admin console.

      Tip: Leave the Google Cloud Console open so you can copy the client ID again, if needed.

  4. In the Google Admin Console, click Main menu > Security > Access and data control > API controls, and then scroll to the Domain wide delegation section.

  5. Click MANAGE DOMAIN WIDE DELEGATION.

  6. On the Domain-wide Delegation page, click Add new.

  7. In the Client ID field, enter the Client ID value you copied from the Service accounts page.

  8. In the OAuth scopes (comma-delimited) field, enter this value:

    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts

  9. Click AUTHORIZE.

Step 5: Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Google Workspace.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.
    2. In the Admin username field, enter the username of the super administrator account, which you can verify by clicking the user icon in the top-right corner of the Google Admin Console.
    3. In the JSON credential file section, click Choose File, and then upload the JSON file that you downloaded as part of Create a service account.
    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.

See also