Configuring Google Workspace Monitoring

Configuration Guide

Overview Direct link to this section

This document describes how to configure your Google Workspace environment for the Arctic Wolf® Cloud Detection and Response service. After you complete this configuration and provide the necessary credentials to Arctic Wolf, we monitor your Google Workspace environment for security events through a service account.

Note: Google Workspace endpoints may have a reporting latency of up to four hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See Data retention and lag times in the Google Workspace documentation for more information.

At the end of this process, you must provide the following information to Arctic Wolf through the Arctic Wolf Portal:

Before you begin Direct link to this section

To configure your Google Workspace environment for monitoring, you must be an administrator for the Google Workspace account that you want to monitor.

During the configuration process, you need to use both the Google Admin Console and the Google Cloud Console.

Creating a project Direct link to this section

To create a project with access to the Admin SDK:

  1. Sign in to the Google Cloud Console using administrator credentials.

  2. In the Select from menu, Select from menu, select the organization that you want Arctic Wolf to monitor. Then, select NEW PROJECT.

  3. On the New Project page, enter apppropriate values for the following:

    • Project name — Enter a short, descriptive name, such as Arctic Wolf Monitoring.

    • Project ID — To view the Project ID, select the Edit option under Project name. Then, modify the auto-generated value as desired.

      Note: Record the project ID for later, when you complete the instructions in Providing credentials to Arctic Wolf.

    • Organization — Verify that the selected option is the organization that you want Arctic Wolf to monitor.

    • Location — (Optional) Select BROWSE to view potential locations for your project within the folder structure. Then, choose a location.

    Tip: You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Select CREATE to create the new project.

  5. Enable the Admin SDK API in the project:

    1. Type Admin SDK API in the API search box.

    2. Select the Admin SDK API entry in the search results.

    3. Select ENABLE to enable this API in the project.

  6. Proceed to Creating a service account.

Creating a service account Direct link to this section

To create a service account for the project:

  1. Sign in to the Google Cloud Console with administrator credentials.

  2. In the Select from menu, Select from menu, verify that the following are selected:

    • The organization that you want Arctic Wolf to monitor.
    • The project that you created in Creating a project, such as Arctic Wolf Monitoring.
  3. From the main menu, select IAM & Admin > Service Accounts.

  4. Select + CREATE SERVICE ACCOUNT.

  5. In the Service account details section, enter apppropriate values for the following:

    • Service account name — Enter a short, descriptive name, such as arctic-wolf-service-account.

    • Service account ID — (Optional) Enter a unique ID for the service account, such as arcticwolfmonitoring.

      Tip: A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account, such as Used for Arctic Wolf monitoring.

  6. Select CREATE AND CONTINUE.

  7. In the Grant this service account access to project (optional) section:

    1. Leave the Select a role box blank.

    2. Select CONTINUE.

  8. In the Grant users access to this service account (optional) section:

    1. Leave all fields blank.

    2. Select DONE.

  9. In the "Grant users access to this service account (optional)" section, leave the Service account users role and Service account admins role boxes blank.

  10. Select DONE. The service account is now listed on the Service accounts page.

  11. Find the service account that you created for the Arctic Wolf monitoring service. Then:

    1. Expand the Actions menu for the service account, and select Manage keys.

    2. Select ADD KEY > Create new key.

    3. In the dialog box, select JSON for the key type.

    4. Select CREATE. The .json file containing the service account credentials automatically downloads to your computer.

  12. Record the name and filepath of the .json download for later, when you complete the instructions in Providing credentials to Arctic Wolf.

  13. Proceed to Enabling domain-wide delegation.

  14. Proceed to Providing credentials to Arctic Wolf.

Enabling domain-wide delegation Direct link to this section

See Delegating domain-wide authority to the service account in the Google Workspace documentation for more details.

To enable domain-wide delegation:

  1. Return to the Service accounts page.

  2. Find the service account that you created for the Arctic Wolf monitoring service. Then:

    1. Expand the Actions menu and select Manage details.

    2. Select Advanced settings. Then, scroll to the Domain-wide Delegation section.

      Note: A Google Workspace Marketplace OAuth Client is not required.

    3. Copy the Client ID value to your clipboard.

    4. Select VIEW GOOGLE WORKSPACE ADMIN CONSOLE. This opens the Google Admin Console in a new tab or window. If prompted, sign in to the admin console.

      Tip: Leave the Google Cloud Console open so you can copy the client ID again, if needed.

  3. On the Google Admin Console, select Main menu > Security > Access and data control > API controls. Then, scroll to the Domain wide delegation section.

  4. Select MANAGE DOMAIN WIDE DELEGATION.

  5. On the Domain-wide Delegation page, select Add new.

  6. In the Client ID text box, enter the Client ID value you copied from the Service accounts page.

  7. In the OAuth scopes (comma-delimited) text box, enter:

    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
  8. Select AUTHORIZE.

  9. Proceed to Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf Direct link to this section

To provide your Google Workspace credentials to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Detection and Response as the Account Type.

  5. Select Google Workspace from the list of cloud services and fill in the form:

    • Account Name — Enter a descriptive name for the service account credentials.

    • Admin username — Enter the username of the account administrator associated with service account that you created as part of Creating a service account.

    • JSON credential file — Upload the .json file that you downloaded as part of Creating a service account.

  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.