Skip to main content

Google GSuite

Overview

Google Workspace Subscription Level Information

Google has several subscription levels available for Google Workspace (formerly called GSuite). Here is some information about the levels and how they affect integration to this portal.

  • Business Starter: Limits some log information particularly from Drive and Vault services.
  • Business Standard (Recommended): Covers most functions and log information used within this portal.
  • Business Plus: Adds attendance tracking and vault and endpoint management.
  • Enterprise: Needed for DLP and Security Center information.
The following list describes some available features and the subscription levels required to access them. This list is not comprehensive.
  • Vault management and audit logs (requires Business Plus or Enterprise)
  • Drive advanced audit reports and controls (requires Business Standard)
  • DLP for Gmail and Drive (requires Enterprise)

Client Information

Before logs can be pulled from your Google Workspace account, communication between ActiveEye and Google Workspace must be enabled. To enable log retrieval, the following account items are required:

  • Unique ID for the Service Account: This is a numerical string.
  • Service Account Key File: This is a JSON file downloaded when a service account key is created.
  • The Email Address for the Service Account: The email address associated with the service account that you will create.

The following procedures describe how to enable the necessary Google Workspace permissions, gather the required account items, and create the GSuite service connector.

Configuring the Service Account for Google Workspace Log Collection

Creating a Project in GCP

note

If you have already created a project, skip this section and proceed to the Enabling the Admin SDK API section.

Enabling the Admin SDK API

  1. Click this link to access the GCP API Library.
  2. In the projects list, select the appropriate project.
  3. In the Search for APIs & Services box, enter Admin SDK API, and then press Enter.
    Search results appear.
  4. In the search results, select Admin SDK API.
    The Product details page appears.
  5. Click Enable.
    note

    If you are working on an existing project and find that this API is already enabled, skip this step.

    The Admin SDK API is enabled.

Creating a Service Account

To create a service account, follow the steps in this GCP procedure: Create a service account.

As you complete the linked procedure, enter account information as follows:

  • When you enter a service account name, enter the following name: ActiveEye Log Collector. Ensure that the Service account ID box contains the following automatically generated value: activeeye-log-collector.
  • When you reach the step prompting you to Grant this service account access to a project, click the Select a role box, then click Logging on the left side of the window, and then click Private Logs Viewer on the right side of the window. This adds the Private Logs Viewer role to the service account.

Getting the Service Account Key File and Email Address

  1. To get the Service Account Key File, follow the steps in this GCP procedure: Create a service account key.
  2. Save the downloaded JSON file in a secure location. You will need it in a subsequent procedure.
  3. Record the Unique ID for the service account. You will need it in a subsequent procedure. The Unique ID can be found on the DETAILS tab for the service account.

Creating a New User for Accessing Google Workspace Logs

Reading from the Google Workspace logs requires a user with log-reading privileges. Utilizing a user with more administrative privileges than necessary to read from the Google Workspace logs presents a security concern; therefore, this section describes how to create a new user that will only be used for reading from the Google Workspace logs. The following section then details how to create and assign the specific role that provides this user access to only read from the Google Workspace logs.
Although an existing user can be used, it is highly recommended to create a new user. To do so, follow the steps in this Google Workspace Admin Help procedure: Add an account for a new user.

As you complete the linked procedure, enter and record account information as follows:

  • In the First name box, enter ActiveEye.
  • In the Last name box, enter Log Collector.
  • In the Primary email address box, enter activeeye-log-collector.
    • warning

    Beside the Primary email address box, your domain will be automatically populated (e.g., @example.org). Record the entire email address (e.g., activeeye-log-collector@example.org). You will need it in a subsequent procedure.

  • Do not enter values in the Secondary email and Phone number boxes.
  • Do not modify the value in the Organizational unit box.
  • Ensure that the Automatically generate a strong password with 16 characters option is selected.

Creating a Custom Role to Access Google Workspace Logs

To create a custom role, follow the steps in this Google Workspace Admin Help procedure: Create a custom role.

As you complete the linked procedure, enter information as follows:

  • In the Role info tab, in the Name box, enter ActiveEye Log Read Role.
  • In the Select privileges tab:
    • Select the Reports checkbox.
    • Expand the Alert Center section, and then select the View access checkbox.

Assigning the Custom Role to the New User

To assign the custom role to the user you created in the previous procedure, follow the steps in this Google Workspace Admin Help procedure: Assign roles to one user.

As you complete the linked procedure, enter information as follows:

  • Assign the ActiveEye Log Read Role created in the previous procedure.

Delegating Domain-Wide Authority to the New Service Account

To delegate domain-wide authority to the new service account, follow the steps in this Google Identity procedure: Delegating domain-wide authority to the service account.

As you complete the linked procedure, enter information as follows:

  • In the Client ID box, enter the Unique ID value that you recorded when you created the new user.
  • In the OAuth scopes box, enter the following:

    https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/apps.alerts

Creating the GSuite Credentials and Service Connector in ActiveEye

Creating the GSuite Credentials in ActiveEye

GSuite credentials must be set up before creating the service connector.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
    The Service Connectors page
  2. In the upper-right corner of the page, click Manage connectors credentials.
    The Connector Credentials page appears.
    The Connector Credentials page
  3. In the upper-left corner of the page, click Add Credential.
    The Add Connector Credentials page appears.
  4. In the Connector Type list, select GSuite.
    The GSuite Credentials section appears.
  5. In the Display Name box, enter a unique name that allows you to distinguish it from other credentials.
  6. In the User ID box, enter the email address for the user that was previously created and assigned the ActiveEye Log Read Role.
  7. In the Private Key box, enter the full content of the Service Account Key JSON file.
    8. warning

    Entering an incorrect value will prevent or disrupt the flow of data.

  8. Click Add.
    The GCP credentials are created.

Creating the GSuite Service Connector in ActiveEye

With the credentials set up, the GSuite service connector can be created.

  1. In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
    The Service Connectors page appears.
    The Service Connectors page
  2. In the upper-left corner of the page, click Add Connector.
    A list of service connectors appears.
    The list of service connectors
  3. Scroll down to the BUSINESS APPLICATIONS section, and then, in the GSuite subsection, click the Add Connection button.
    The Add Connector Account page appears.
  4. In the Display Name box, enter a unique name.
  5. In the Credential Set list, select the name of the previously created GSuite credentials.
  6. Optionally, modify the priority level in the Priority box. Raising or lowering the priority will increase or decrease the visibility of alerts related to this service connector.
  7. If you do not want data ingestion to begin immediately once cloud accounts have been configured, clear the Enable Account checkbox. Otherwise, leave the checkbox selected.
  8. Click Add.
    The GSuite service connector is created, and the page is refreshed. Depending on the frequency of the events, you should see data begin to appear. To check the latest events, select INVESTIGATE in the right pane, and then select Event Count Summary.