Configure Google Workspace for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform identity-based response actions in your network using Google Workspace.

Google Workspace supports these response actions:
  • Disable/Enable a user
    Note: Arctic Wolf cannot take identity-based actions on Google Workspace user accounts with super administrator permissions.
  • Close user connections
  • Add/Remove a user from a security group
  • Force a password reset

For more information, see Response action descriptions.

Note:

Configure this integration with your primary identity provider in a cloud-based environment. Arctic Wolf does not support hybrid or on-premises environments for identity-based response actions.

These resources are required:

  • A user account with super administrator permissions.

  • Contact your CST to validate the Active Response integration. Have an account or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create a project

  1. Sign in to the Google Cloud Console with administrator permissions.
  2. In the Open project picker menu, Select from menu, select the organization that you want Arctic Wolf to monitor, and then click New project.
  3. On the New Project page, configure these settings:
    • Project name — Enter a short, descriptive name. For example, Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, in the Project name field, select the Edit option, and then replace the automatically generated value with a unique identifier.
    • Organization — Make sure that the selected option is the organization you want Arctic Wolf to monitor.
    • Location — (Optional) Select Browse, and then select a location.
      Tip:

      You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
  5. Click Create.

Enable APIs

  1. Sign in to the Google Cloud Platform with administrator permissions.
  2. In the navigation menu, click APIs & Services > Library.
  3. Enable the Admin SDK API in the project:
    1. In the search field, enter Admin SDK API.
    2. In the search results, select Admin SDK API.
    3. Click Enable.

Create a service account

  1. Sign in to the Google Cloud Console with administrator permissions.
  2. In the Open project picker menu, Select from menu, verify that these items are selected:
    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously. For example, Arctic Wolf Monitoring.
  3. In the navigation menu, click IAM & Admin > Service Accounts.
  4. Click + Create service account.
  5. In the Create service account section, configure these settings:
    • Service account name — Enter a short, descriptive name. For example, arctic-wolf-service-account.
    • Service account ID — (Optional) Enter a unique ID for the service account. For example, arcticwolfmonitoring.
      Tip:

      A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account. For example, Used for Arctic Wolf monitoring.
  6. Click Create and continue.
  7. In the Grant this service account access to project (optional) section, keep the role field empty.
  8. Click Continue.
  9. In the Grant users access to this service account (optional) section, keep the Service account users role and Service account admins role fields empty.
  10. Click Done.

    The service account is now listed on the Service accounts page.

  11. On the Service Accounts page, for the service account that you created, complete these steps:
    1. Click Actions > Manage keys.
    2. In the Add key list, select Create new key.
      Note: If you receive an error similar to Service account key creation is disabled, you must ask an administrator with the Organization Policy Administrator role to disable the iam.disableServiceAccountKeyCreation constraint. For more information, see Create and delete service account keys.
    3. In the dialog, select the JSON option.
    4. Click Create.

      The JSON file containing the service account credentials automatically downloads to your computer.

  12. Copy the JSON filename and path to a safe, encrypted location to provide to Arctic Wolf later.

Enable domain-wide delegation

  1. On the Service Accounts page, complete these steps for the service account that you created:
    1. Click Actions > Manage details.
    2. Click Advanced settings, and then scroll to the Domain-wide Delegation section.
      Note:

      A Google Workspace Marketplace OAuth Client is not required.

    3. Copy the Client ID value to a safe, encrypted location. You will use it in a later step.
    4. Click View Google Workspace admin console.

      The Google Admin Console opens in a new tab.

    5. If prompted, sign in to the admin console.
      Tip:

      Keep the Google Cloud Console open so that you can access the client ID again, if needed.

  2. In the Google Admin Console, click Main menu > Security > Access and data control > API controls.
  3. In the Domain wide delegation section, click Manage Domain Wide Delegation.
  4. On the Domain-wide Delegation page, click Add new.
  5. In the Client ID field, enter the Client ID value that you copied from the Service accounts page.
  6. In the OAuth scopes (comma-delimited) field, enter this value:
    CSV 
    https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.security
  7. Click Authorize.
    Wait 5-10 minutes after adding OAuth scopes before proceeding to the next step.

Provide Google Workspace Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Google Workspace.
  5. On the New Active Response Integration page, configure these settings:

    • Integration Name — Enter a unique and descriptive name for the integration.

    • Upper limit for query count — Enter 1.

    • Enable Identity Active Response Actions — Select the checkbox.

    • Global Admin Email Address — Enter the username of the super administrator account, in the form of an email address. To find this username, click your user icon in the top-right corner of the Google Admin Console.

    • Service account private key — Enter the service account private key located in the JSON file that you downloaded as part of Create a service account.

    • Service account email address — Enter the service account email address located in the JSON file that you downloaded as part of Create a service account .

    • User defined mapping — (Optional) Keep this field blank.

  6. Click Save Integration.