Providing Google Workspace credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to set up a service account with the necessary permissions for monitoring security information in your Google Workspace account.

Note: Google Workspace endpoints may have a reporting latency of up to 4 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf® to analyze. See the Data retention and lag times documentation on the Google Workspace website for more information.

After completing this process, you must provide the following information to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

To complete the steps below, you must be an administrator for the Google Workspace account that you wish to monitor.

During the configuration process you need to use both the Google Workspace admin console and the Google Developers console.

Creating a project in the Google Developers console

Create a project with access to the Admin SDK:

  1. Sign in to the Google Developers console using the credentials of an administrator on your Google Workspace account.

  2. Click Select a project to open the dialog box.

  3. In the dialog box, select NEW PROJECT to open the New Project page.

  4. Enter a unique name for the project, and then:

    1. Verify that the Organization menu is set to the Google Workspace organization that you want monitored.

    2. Select Create. This opens the project.

  5. Select APIs & Services to open the API and Services page.

  6. Enable the Admin SDK API in your project:

    1. Type Admin SDK API in the API search box.

    2. Select the Admin SDK API entry in the search results.

    3. Click ENABLE to enable this API in the project.

Creating a service account for the project

Create a service account for the project:

  1. Click the menu, and then select IAM & admin > Service accounts to open the Service Account Management page.

  2. Click CREATE SERVICE ACCOUNT to open the Create Service Account page.

  3. In the Service account details section:

    1. Enter a name for the service account, such as service-account in the Service account name field.

    2. (Optional) Enter a description in the Service account description field.

    3. Click CREATE.

  4. In the Service account permissions section:

    1. Leave the Select a role list blank.

    2. Click CONTINUE.

  5. In the Grant users access to this service account section:

    1. Leave the Service account users role and Service account admins role lists blank.

    2. Click Done.

  6. On the Service Accounts page, find the service account that you created, and then:

    1. Expand the Actions menu, and then select Manage keys.

    2. Select Add keys > Create New Key.

    3. In the dialog box, select JSON for the key type.

    4. Click CREATE.

    Note: This automatically downloads the .json file containing the service account credentials onto your computer.

  7. Record the name of the downloaded .json file. You need to provide this file to Arctic Wolf on the Arctic Wolf Portal later.

Enabling domain-wide delegation

To enable domain-wide delegation:

  1. Click the menu, and then select IAM & admin > Service accounts to open the Service Account Management page.

  2. On the Service Account Management page, find the service account that you created, and then:

    1. Expand the Actions menu, and then select Details.

    2. Click SHOW DOMAIN-WIDE DELEGATION, and then select Enable G Suite Domain-wide Delegation.

    3. When prompted to add a product name, enter a name, such as Arctic Wolf Monitoring.

  3. On the Service Account Management page, find the service account that you created, and then click View Client ID under Domain-wide delegation.

  4. On the Service Account Client page, copy the value of the Client ID field to a safe place. You must use this value in a later step.

  5. In a new browser tab, visit the Google Workspace admin console and sign in with an administrator account, if prompted.

    Tip: You receive an error if you attempt to sign in without administrator credentials.

  6. Click the menu, and then select Security > API controls to open the API Controls page.

  7. Scroll down to select MANAGE DOMAIN WIDE DELEGATION under Domain-wide delegation.

  8. Click Add new to add a new API client and list of scopes.

  9. Paste the the Client ID value that you copied in step 4.

  10. Click the clipboard below to copy the following API endpoint CSV list, and then paste it as the OAuth scopes (comma-delimited) value.

    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
  11. Click Authorize to apply the API scope values.

Enabling application access control

Assign the permissions required for monitoring your Google Workspace account to the service account that you created:

  1. Sign in to the Google Workspace admin console using the credentials of an administrator on the account.

    Tip: You receive an error if you attempt to sign in without administrator credentials.

  2. From the main page, select Security > API controls. This opens the App Access Control page.

  3. Verify that the Trust internal, domain-owned apps checkbox is selected.

  4. Select MANAGE THIRD-PARTY APP ACCESS to open the Application Access page.

  5. Select Configure new app and then select OAuth App Name or Client ID.

  6. Search for the service account using the Client ID that you created as part of Creating a service account for the project.

  7. Select the checkbox beside the Client ID of the application that you are configuring.

  8. Select 0Auth Client ID and then select Configure to save your changes.

The application page updates with the new application.

Providing credentials to Arctic Wolf

To provide the contents of the .json file containing the application credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Google Workspace from the list of cloud services, and fill in the form:

    1. Enter a descriptive name for the credentials.

    2. Enter the username of an administrator for impersonation in your Google Workspace account.

    3. Upload the .json file downloaded as part of Creating a service account for the project.

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your cloud account, the status of your account changes to Connected.