Configure Google Workspace cloud for Arctic Wolf monitoring

You can configure Google Workspace® to send the necessary logs to Arctic Wolf® for security monitoring.

Note:

Google Workspace endpoints can have a reporting latency of up to 4 hours between when an event is created on a monitored system and when the logs are available for Arctic Wolf to analyze. See Data retention and lag times for more information.

These resources are required:

  • Super administrator permissions in the workspace that you want Arctic Wolf to monitor.
    Note:

    Arctic Wolf requires an administrator username, but not the associated password, because the service account created for Arctic Wolf monitoring impersonates this administrator when interacting with the Google Admin SDK Reports API to retrieve Google Workspace events. See Perform Google Workspace Domain-Wide Delegation of Authority for more information.

Create a project

  1. Sign in to the Google Cloud Console with administrator permissions.
  2. In the Open project picker menu, Select from menu, select the organization that you want Arctic Wolf to monitor, and then click New project.
  3. On the New Project page, configure these settings:
    • Project name — Enter a short, descriptive name. For example, Arctic Wolf Monitoring.
    • Project ID — (Optional) To edit the Project ID, in the Project name field, select the Edit option, and then replace the automatically generated value with a unique identifier.
    • Organization — Make sure that the selected option is the organization you want Arctic Wolf to monitor.
    • Location — (Optional) Select Browse, and then select a location.
      Tip:

      You can select a parent organization or folder that is different from the organization that you want to monitor.

  4. Copy the Project ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.
  5. Click Create.

Enable APIs

  1. Sign in to the Google Cloud Platform with administrator permissions.
  2. In the navigation menu, click APIs & Services > Library.
  3. Enable the Admin SDK API in the project:
    1. In the search field, enter Admin SDK API.
    2. In the search results, select Admin SDK API.
    3. Click Enable.

Create a service account

  1. Sign in to the Google Cloud Console with administrator permissions.
  2. In the Open project picker menu, Select from menu, verify that these items are selected:
    • The organization that you want Arctic Wolf to monitor.
    • The project that you created previously. For example, Arctic Wolf Monitoring.
  3. In the navigation menu, click IAM & Admin > Service Accounts.
  4. Click + Create service account.
  5. In the Create service account section, configure these settings:
    • Service account name — Enter a short, descriptive name. For example, arctic-wolf-service-account.
    • Service account ID — (Optional) Enter a unique ID for the service account. For example, arcticwolfmonitoring.
      Tip:

      A unique value is automatically generated when you specify a service account name.

    • Service account description — (Optional) Enter a description for the service account. For example, Used for Arctic Wolf monitoring.
  6. Click Create and continue.
  7. In the Grant this service account access to project (optional) section, keep the role field empty.
  8. Click Continue.
  9. In the Grant users access to this service account (optional) section, keep the Service account users role and Service account admins role fields empty.
  10. Click Done.

    The service account is now listed on the Service accounts page.

  11. On the Service Accounts page, for the service account that you created, complete these steps:
    1. Click Actions > Manage keys.
    2. In the Add key list, select Create new key.
    3. In the dialog, select the JSON option.
    4. Click Create.

      The JSON file containing the service account credentials automatically downloads to your computer.

  12. Copy the JSON filename and path to a safe, encrypted location to provide to Arctic Wolf later.

Enable domain-wide delegation

  1. On the Service Accounts page, complete these steps for the service account that you created:
    1. Click Actions > Manage details.
    2. Click Advanced settings, and then scroll to the Domain-wide Delegation section.
      Note:

      A Google Workspace Marketplace OAuth Client is not required.

    3. Copy the Client ID value to a safe, encrypted location. You will use it in a later step.
    4. Click View Google Workspace admin console.

      The Google Admin Console opens in a new tab.

    5. If prompted, sign in to the admin console.
      Tip:

      Keep the Google Cloud Console open so that you can access the client ID again, if needed.

  2. In the Google Admin Console, click Main menu > Security > Access and data control > API controls.
  3. In the Domain wide delegation section, click Manage Domain Wide Delegation.
  4. On the Domain-wide Delegation page, click Add new.
  5. In the Client ID field, enter the Client ID value that you copied from the Service accounts page.
  6. In the OAuth scopes (comma-delimited) field, enter this value:
    CSV 
    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
  7. Click Authorize.
    Wait 5-10 minutes after adding OAuth scopes before proceeding to the next step.

Provide Google Workspace credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Google Workspace.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Admin username — Enter the username of the super administrator account, in the form of an email address. To find this username, click your user icon in the top-right corner of the Google Admin Console.
    • JSON credential file section — Click Choose File, and then upload the JSON file that you downloaded as part of Create a service account.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.