Integrating G Suite With Blumira

Blumira integrates with Google G Suite productivity suite to stream G Suite security event logs and alerts to the Blumira service for threat detection and actionable response.

Google G Suite provides multiple services including Google Identity, Gmail Email Services and Drive Applications such as Docs, sheets, and slides. Blumira monitors these services for potential threats and provides actionable responses when a suspect or threat is detected.

To configure Blumira to ingest your Google GSuite domain event logs, follow these steps:

Preparing Google:

  • Likely as someone with GSuite Admin permissions, create a Google Cloud Platform (GCP) project, if you do not have one already (if needed, follow the “Console” instructions for “Creating a project” here: https://cloud.google.com/resource-manager/docs/creating-managing-projects).
  • Go to your GCP console (https://console.cloud.google.com), switch to the project you created or desire to use, and create a service account *that will only be used for fetching GSuite logs* (i.e., for security, do NOT give this service account any additional permissions/roles beyond what’s listed here):
    1. Open: https://console.cloud.google.com/iam-admin/serviceaccounts/create
    2. Enter a unique service account name, like “gsuite-log-fetcher”
    3. Enter a meaningful service description, like: “SA for fetching gsuite logs for domain: example.com
    4. Click “Create”
    5. Select the drop-down: “Select a role”, and choose: Service Accounts –> Service Account Token Creator
    6. Click “Continue”
    7. Click “Create Key”
    8. Leave “JSON” selected and click “Create”; save the file to a secure local directory
  • Navigate on your local machine to the directory you saved the key file in and open it with a plaintext editor (e.g., notepad, textedit, etc. or, if you’re on a *nix machine, simply cat the file to display its contents).  It will be a JSON-formatted file with the first key “type” whose value is “service_account”.  Copy the value of the “client_id” key, as you’ll need it in a minute.  Keep the view of the entire file contents open for now, as you’ll also need the entire contents near the end of this process, below.
  • In the *same GCP project in which you created the above service account*, enable the Google Admin SDK, which is the API used for fetching GSuite log events. Open a browser to: https://console.cloud.google.com/apis/library/admin.googleapis.com and click “Enable” (note the GCP project in the top of the page matches what you expect).
  • Similarly, for the same GCP project, enable the IAM API by clicking “Enable” here: https://console.cloud.google.com/apis/library/iam.googleapis.com
  • Back in a browser, open your GSuite organization’s admin interface and open the “Security” section then: Advanced–>Manage API Client Access;  (this is equivalent to following this URL: https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients)
    1. For “Client Name”, enter the client_id value you copied from the service account key above.
    2. For “One or More API Scopes” enter the following two scopes (note that they are comma-separated): https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
    3. Click “Authorize” [1]

 

Configuring Blumira:

Next, you’ll need to enable your Blumira sensor to actually collect GSuite logs.  To do this, on an existing or new sensor in the sensor UI, you must add the GSuite Module (note that the typical “Logger” module must also be present on this sensor for logs to flow).

Here’s how to add the GSuite Module:

  1. Once you have chosen or installed a sensor you’d like to add GSuite log collection to, when looking at the sensor detail page for the sensor, click the “Add Module” button near the bottom right of the page.
  2. In the Module drop-down find the GSuite Module and select the latest available version.
  3. Fill in the New Module form, shown here:

    1. For “Log Source Name” optionally enter a string to identify this gsuite log configuration; for example, you might want to simply enter the name of your GSuite domain for which you are collecting logs (e.g,. “example.com”)
    2. For GCP service account credential JSON, paste the entire contents of the credentials.json file you created in the above steps (i.e. starting with an open curly brace and ending with a closed one).  Be sure it looks something like the above and is the verbatim contents of that file.
    3. For GSuite admin email address, enter the plain lowercase email address of an existing user in your GSuite domain that is an admin of the domain (e.g., “[email protected]”).
    4. Click “Install.” The screen may pause for a few seconds as the install is registered, after which the GSuite Module should be listed in the module table at the bottom of your sensor detail page.
  4. Within minutes, the module will be operational and collect the last 90 days worth of logs into the Blumira platform. It will then poll GSuite every 1 minute for the latest available logs and pass those into the platform.

Footnotes:

[1] Note that, per the way Google designed this: “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you’ll need to provide the *email address* of one of your GSuite users with admin console access, for the module to use as the account to fetch your GSuite logs as. (Google’s quote is from here: https://developers.google.com/admin-sdk/reports/v1/guides/delegation)

[2] To add the basic “Logger” module, if you haven’t already during your Blumira on-boarding, simply click “Add Module” on a sensor without one, select the latest available version of the “Logger Module”, and click “Install” (leaving the two TLS fields blank).