Google Workspace Monitoring

Updated Feb 28, 2024

Configure Google Workspace cloud for Arctic Wolf monitoring

You can configure GCP® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Google Workspace endpoints can have a reporting latency of up to 4 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See Data retention and lag times for more information.

Requirements

Steps

  1. Create a project.
  2. Enable APIs.
  3. Create a service account.
  4. Enable a domain-wide delegation.
  5. Provide your Google Workspace cloud credentials to Arctic Wolf.

Step 1: Create a project

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, select the organization that you want Arctic Wolf to monitor, and then click NEW PROJECT.

  3. On the New Project page, configure these settings:

    • Project name — Enter a short, descriptive name. For example, Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, in the Project name field, select the Edit option, and then replace the automatically generated value with a unique identifier.
    • Organization — Make sure that the selected option is the organization you want Arctic Wolf to monitor.
    • Location — (Optional) Select BROWSE, and then select a location.

    Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

  5. Click CREATE.

Step 2: Enable APIs

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the navigation menu, click APIs & Services > Library.

  3. Enable the Admin SDK API in the project:

    1. In the search field, enter Admin SDK API.
    2. In the search results, select Admin SDK API.
    3. Click ENABLE.

Step 3: Create a service account

  1. Sign in to the Google Cloud Console with administrator permissions.

  2. In the Select from menu, Select from menu, verify that these items are selected:

    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously. For example, Arctic Wolf Monitoring.
  3. In the navigation menu, click IAM & Admin > Service Accounts.

  4. Click + CREATE SERVICE ACCOUNT.

  5. In the Service account details section, configure these settings:

    • Service account name — Enter a short, descriptive name. For example, arctic-wolf-service-account.

    • Service account ID — (Optional) Enter a unique ID for the service account. For example, arcticwolfmonitoring.

      Tip: A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account. For example, Used for Arctic Wolf monitoring.

  6. Click CREATE AND CONTINUE.

  7. In the Grant this service account access to project (optional) section, keep the role field empty.

  8. Click CONTINUE.

  9. In the Grant users access to this service account (optional) section, keep the Service account users role and Service account admins role fields empty.

  10. Click DONE.

    The service account is now listed on the Service accounts page.

  11. On the Service Accounts page, for the service account that you created, complete these steps:

    1. Click Actions > Manage keys.

    2. In the ADD KEY list, select Create new key.

    3. In the dialog, select the JSON option.

    4. Click CREATE.

      The JSON file containing the service account credentials automatically downloads to your computer.

  12. Copy the JSON file name and path to a safe, encrypted location. You will provide it to Arctic Wolf later.

Step 4: Enable domain-wide delegation

  1. On the Service Accounts page, complete these steps for the service account that you created:

    1. Click Actions > Manage details.

    2. Click Advanced settings, and then scroll to the Domain-wide Delegation section.

      Note: A Google Workspace Marketplace OAuth Client is not required.

    3. Copy the Client ID value to a safe, encrypted location. You will use it in a later step.

    4. Click VIEW GOOGLE WORKSPACE ADMIN CONSOLE.

      The Google Admin Console opens in a new tab.

    5. If prompted, sign in to the admin console.

      Tip: Keep the Google Cloud Console open so that you can access the client ID again, if needed.

  2. In the Google Admin Console, click Main menu > Security > Access and data control > API controls.

  3. In the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION.

  4. On the Domain-wide Delegation page, click Add new.

  5. In the Client ID field, enter the Client ID value that you copied from the Service accounts page.

  6. In the OAuth scopes (comma-delimited) field, enter this value:

    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
  7. Click AUTHORIZE.

Step 5: Provide your Google Workspace cloud credentials to Arctic Wolf

Note: If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage. For more information, see MDR polling frequency.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Cloud Services list, select Google Workspace.

  6. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Admin username — Enter the username of the super administrator account, in the form of an email address. To find this username, click your user icon in the top-right corner of the Google Admin Console.

    • JSON credential file section — Click Choose File, and then upload the JSON file that you downloaded as part of Create a service account.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  7. Click Test and submit credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also