fbpx

Cloud SIEM for G Suite

Blumira integrates with Google G Suite productivity suite to stream G Suite security event logs and alerts to the Blumira service for threat detection and actionable response.

Google G Suite provides multiple services including Google Identity, Gmail Email Services and Drive Applications such as Docs, sheets, and slides. Blumira monitors these services for potential threats and provides actionable responses when a suspect or threat is detected.

 

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

 

Free Trial

To configure Blumira to ingest your Google GSuite domain event logs, follow these steps:

Prerequisites

  • GSuite User with Admin Permissions is needed for this integration
  • GSuite Licensing above Free Tier
  • Blumira Trial or Paid Account with Admin Access
  • An Active Blumira Sensor

Create a GCP Project

  • With GSuite Admin Permissions, follow the link below to the GCP Console: https://console.cloud.google.com
  • Create a GCP Project
    • Next to the Google Cloud Platform Header – Select the New Project – Dropdown
    • Click New Project
    • In the New Project window that appears, enter a unique project name
    • Select the Organization you’d like to use (typically the default listed is best)
    • Enter the parent organization in the Location box if it isn’t pre-populated (usually matches the organization domain)
    • When finished, click Create
    • Once created, select the Project you’ve created in the Project drop down near the GCP header in the top left of your screen
  • Create GCP Service Account – (Used for fetching GSuite Logs)
    • From the GCP Console, switch to the project you created or desire to use in the top left.
    • On the left toolbar – Select IAM & Admin > IAM > Service Accounts
    • Select +Create Service Account at the top of the page
    • Enter a unique service account name
    • Enter a service description
    • Click Create
    • Select the drop-down Select A Role, and choose Service Account in the left column and Service Account Token Creator in the right column.
    • Click Continue
    • Select your new service account from the list and click Create Key
    • Select JSON format for key – the json file should auto download from your browser
  • Find your Client_ID
    • Open the JSON Key file on your local machine in a plain text editor (Notepad, Wordpad, Notepad++)
    • Find the Client_ID and copy the number
    • Save the File – it’ll be used later

Enable Google APIs

  • Enable the Google Admin SDK API
    • From the GCP Main Console Page, select the same project you created in previous steps on the top left.
    • Navigate to the left side tool bar – Select APIs & Services > Dashboard
    • On the APIs & Services Dashboard, select Library
    • In the search bar – Type “Admin SDK”
    • Select the Admin SDK API
    • Select Enable 
  • Enable the Identity and Access Management (IAM) API
    • Return to the same API Library page as shown in the previous section
    • In the search bar – Type “IAM API”
    • Select the Identity and Access Management (IAM) API
    • Select Enable

Link APIs to Gsuite

  • Link GCP APIs to Gsuite (Google Workspaces)
    • Go to https://admin.google.com and log in as a global admin
    • In the left side toolbar – go to Security > API Controls 
    • Scroll to the bottom section called “Domain-Wide Delegation” Select Manage Domain Wide Delegation
    • Select Add New
    • In the “Add a new Client ID” window that appears, enter the Client_ID number saved from the JSON file in previous steps
    • Copy and Paste the following into the OAuth Scopes section: https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/iam
    • Click Authorize [1]

Configuring Blumira

Lastly, you’ll need to connect Gsuite to the Blumira platform. Start by logging into the Blumira Console, as an administrator.

  • Go to the left side toolbar and select Infrastructure > Sensors
  • Select the Sensor you’d like to use
  • Scroll down to the Modules section – Select Add Module on the right.
  • Type in Gsuite and select the module
  • The window below will appear
  1. Log Source Name – Optional – Enter anything you’d like to name it
  2. GCP Service Account Credential JSON – Copy and paste the JSON file from previous steps into the window
  3. GSuite Admin Email Address – Enter an email address of an existing user in Gsuite with Domain Admin privileges
  4. Click Install
  5. Within minutes, the module will be operational and collect the last 90 days worth of logs into the Blumira platform.

Footnotes:

[1] Note that, per the way Google designed this: “Only users with access to the Admin APIs can access the Admin SDK Reports API, therefore your service account needs to impersonate one of those users to access the Admin SDK Reports API.” In other words, you’ll need to provide the *email address* of one of your GSuite users with admin console access, for the module to use as the account to fetch your GSuite logs as. (Google’s quote is from here: https://developers.google.com/admin-sdk/reports/v1/guides/delegation)

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

Free Trial