Configuring Google G Suite Activity Reports to communicate with QRadar

Before you can add a log source in QRadar®, you must assign a role to a user, create a custom role with reports access, create a service account and grant API access to a service account in Google G Suite.

You must be a Google administrator with the ability to manage users. If you do not have access, contact your Google administrator.

Assigning a role to a user

Procedure

  1. Log in to the Google Admin console (https://admin.google.com), and then click Users to access the Users page.
    Figure 1. Google Admin users
    Google Admin users

    Picture: ©2018 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.

  2. Click the name of the user that you want to grant access to.
  3. Click in the Admin roles and privileges section to open the Admin roles and privileges page, and then click Edit to assign a role that includes reports access for the selected user.
    Figure 2. Admin roles and privileges
    Admin roles and privileges

    Picture: ©2018 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.

  4. Optional: If the Super Admin role was not used in Step 3, create a new role that has reports access. By default, the Super Admin role has this privilege.
    1. Click CREATE CUSTOM ROLE.
    2. On the Admin roles page, click CREATE A NEW ROLE.
      Figure 3. Create a new role
      Create a new role

      Picture: ©2018 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.

    3. On the Privileges tab, select the Reports check box, and then click Save.
      Figure 4. New role privileges
      New role privileges

      Picture: ©2018 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.

      This role appears in the roles section as an option when you assign a role to a user.

Creating a service account with viewer access

Procedure

  1. On the Google Cloud Platform (GCP) APIs & Services page (https://console.cloud.google.com/apis/dashboard), click Credentials.
  2. From the navigation menu, select Credentials.
  3. Click +CREATE CREDENTIALS > Service account.
  4. In the Service account name field, type a name for the service account, then click CREATE AND CONTINUE.
  5. From the Select a role list, select Actions Viewer, then click CONTINUE.
  6. In the Service account user role field, type the name for your user.
  7. In the Service account admins role field, type the name for your user.
  8. Click DONE.
  9. In the Service Accounts section, select the service account that you created.
  10. In the API Keys section, click Add Key.
    You need the contents of the key for the Service Account Credentials parameter value when you add a log source in QRadar.

Granting API client access to a service account

Procedure

  1. On the Google Admin page (https://admin.google.com/ac/home?hl=en), from the navigation menu, select Security > API Controls.
  2. In the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION
    Figure 5. Manage Domain-wide Delegtion
    Manage Domain-wide Delegation

    Picture: ©2021 Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC.

  3. To add a new client ID, click Add new.
  4. In the Client ID field, enter the value for the API key that you added when you created a service account.
  5. In the OAuth Scopes (comma-delimited) field, type https://www.googleapis.com/auth/admin.reports.audit.readonly.
  6. Click AUTHORIZE.

What to do next

Add a Google G Suite Activity Reports log source on the QRadar Console by using the Google G Suite Activity Reports REST API. For more information, see Google G Suite Activity Reports log source parameters.