# NG SIEM - GoogleWorkspace Integration

##### **Introduction**

The Google Workspace integration collects and parses data from various **[Google Workspace audit reports APIs ](https://developers.google.com/admin-sdk/reports/reference/rest)**<span class="TextRun Highlight SCXW11705193 BCX8" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW11705193 BCX8" data-ccp-charstyle="eop">using a service account authorized via the **Admin SDK API**.</span></span>

##### **Requirements**

To ingest data from the Google Reports API, the following must be completed:

- An **administrator account** in Google Workspace.
- Enable the **Admin SDK API** in GCP.
- Create and configure a **Service Account**.
- Enable **Domain-Wide Delegation** for the service account.
- Configure the **OAuth Consent Screen**.

<p class="callout info">Note this is only applicable for Administrator Account in Google Workspace. Thank you and have a nice day.</p>

---

##### **Enable Admin SDK API**

Complete the following steps:

- Select the Google Cloud navigation menu &gt; **APIs &amp; Services** &gt; **Enabled APIs &amp; Services**
- Search and enable “**Admin SDK API**” from the **API library page**

##### **Configure OAuth Consent Screen**

Complete the following steps:

- Select the Google Cloud navigation menu &gt; **APIs &amp; Services** &gt; **Enabled APIs &amp; Services** &gt; **OAuth Consent Screen**
- User Type &gt; Internal &gt; Create
- Fill out the following information in subsequent steps
- App name:
- User support email:
- Authorized domains:
- Developer contact information:
- Save and Continue
- Save and Continue
- Back to Dashboard

---

##### **Create a Service Account**

To create a service account, do the following:

- Select the navigation menu in Google Cloud &gt; **APIs &amp; Services** &gt; **Credentials** &gt; **Create Credentials** &gt; **Service Account**
- Enter the following information:
- Service account name: a
- Service account ID:
- Leave the rest blank and continue
- Select your new **Service Account** &gt; **Keys** &gt; **Add Key** &gt; **Create New Key** &gt; **JSON**

---

##### **Enable Domain-wide Delegation**

- In your GW Admin Console select &gt; **Navigation Menu** &gt; **Security** &gt; **Access and data control** &gt; **API controls**
- Select **Manage Domain Wide Delegation** &gt; **Add New**
- Client ID: OAuth ID from Service Account in GCP
- Google Cloud Console &gt; **IAM &amp; Admin** &gt; **Service Accounts** &gt; **OAuth 2 Client ID** (copy to clipboard)
- **OAuth Scopes**: [https://www.googleapis.com/auth/admin.reports.audit.readonly](https://www.googleapis.com/auth/admin.reports.audit.readonly)

<p class="callout info">Please provide the following information to CyTech Support. Thank you</p>

- <span class="TextRun SCXW11705193 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US">**<span class="NormalTextRun SpellingErrorV2Themed SCXW11705193 BCX8" data-ccp-charstyle="eop">Delegated Account - </span>**<span class="NormalTextRun SpellingErrorV2Themed SCXW11705193 BCX8" data-ccp-charstyle="eop">the email of the administrator account, and not the email of the ServiceAccount.</span></span>
- <span class="TextRun SCXW11705193 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US">**<span class="NormalTextRun SpellingErrorV2Themed SCXW11705193 BCX8" data-ccp-charstyle="eop">Jwt</span><span class="NormalTextRun SCXW11705193 BCX8" data-ccp-charstyle="eop"> JSON</span>** </span><span class="TextRun SCXW11705193 BCX8" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW11705193 BCX8" data-ccp-charstyle="eop">- The JSON credentials file downloaded from GCP. </span><span class="NormalTextRun SCXW11705193 BCX8" data-ccp-charstyle="eop">Raw contents of the JWT file. Useful when hosting a file along with the agent is not possible. NOTE: Please use either JWT File or JWT JSON parameter</span><span class="NormalTextRun SCXW11705193 BCX8" data-ccp-charstyle="eop">.</span></span><span class="EOP SCXW11705193 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span>

<span class="EOP SCXW11705193 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">  *Reference link: [https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two](https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two)*</span>

<span class="EOP SCXW11705193 BCX8" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">*<span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">If you need further </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0">, kindly contact our support at </span></span>**<span class="TextRun SCXW71272603 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">support@cytechint.com</span></span>**<span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0"> for prompt </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0"> and guidance.</span></span><span class="EOP SCXW71272603 BCX0" data-ccp-props="{}"></span>*</span>