View Source

Prerequisite: It is important to note that in order for the Collector-Syslog Server (CCE) to be able to access the URL www.googleapis.com, the client's firewall needs to be configured to allow access to this URL. If the firewall is not configured properly, the CCE will not be able to access the necessary data and the configuration may not work as intended. It is recommended to check and configure the firewall settings before proceeding with the configuration process to ensure that the CCE has access to www.googleapis.com

Overview

We are providing you the steps to integrate your G-Suite with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.

To access Google Cloud Platform, you need a G Suite account, a service account, and the JSON private key linked to the service account. The service account must have "G Suite Domain-wide Delegation" enabled and the roles of Project Owner or Organization Administrator for monitoring. Additionally, all necessary APIs must be activated for the relevant projects on Google Cloud Platform.

Step 1: How to create a new project in Google Cloud Platform (GCP):

Open a web browser and go to https://console.cloud.google.com/apis/dashboard
Sign in with your Google account
Click on the project drop-down and select or create the project for which you want to enable the API.
Click on the "Create" button
Enter a name and ID for the new project, and select a billing account if prompted.
Click on "Create" button to create the new project.

This will create a new project in GCP with the specified name and ID and will provide you with a project ID that can be used to identify and access the project resources.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-221908.png

Step 2: Create a new project in Google Cloud Platform

To create a new project in Google Cloud Platform (GCP), you need to give it a name and click on the "Create" button. This will create a new project with the specified name and will provide you with a project ID that can be used to identify and access the project resources.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222009.png

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222043.png

Step 3: Select Project

After creating a project in Google Cloud Platform (GCP), you will need to select it from the list of available projects. This can be done by navigating to the project dashboard or the Cloud Console and finding the project you just created from the list. Once selected, you will be able to access and manage the resources within that project.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222131.png

Step 4: To enable an API for a project in GCP:

Go to the Cloud Console
Select the project you have created
Click on the Navigation menu at the top left corner of the screen
Select "Library" from the navigation menu
Search for the API you want to enable in the search bar
Click on the API name
Click on "Enable" button

This will enable the selected API for the project, allowing you to access its features and resources.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222444.png

Step 5: To enable the Admin SDK API and Gmail API in GCP:

In the search bar, search for "API SDK"
Select "Admin SDK API"
Click on "Enable" button
In the search bar, search for "Gmail API"
Select "Gmail API"
Click on "Enable" button

This will enable the Admin SDK API and Gmail API for your project, allowing you to access G Suite data and perform actions such as reading Gmail messages.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222518.png

Step 6: To enable an API for a project in GCP:

Select the project you have created
Click on the Navigation menu at the top left corner of the screen
Select "Library" from the navigation menu
Search for the API you want to enable in the search bar
Click on the API name
Click on "Enable" button

This will enable the selected API for the project, allowing you to access its features and resources.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222558.png

Step 7: To access credentials in GCP:

Search for "Credentials" in the search bar
Select "Credentials" from the search results

This will take you to the credentials page where you can create, view, and manage the credentials for the project, such as service account keys, OAuth 2.0 client IDs, and API keys.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222623.png

Step 8: To create a service account in GCP:

Click on "Create credentials" button
Select "Service Account" from the options

This will take you to the "Create service account" page, where you can create a new service account for your project. Fill in the required details, such as the service account name, and assign roles to the service account.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222651.png

Step 9: To create a service account in GCP:

Navigate to the "IAM & admin" page
Click on "Service Accounts"
Click on "Create Service Account" button
Give a name for the service account and provide a description as needed
Click on "Create" button

This will create a new service account with the specified name and description. The email address associated with the service account can be used to grant permissions to resources in the project.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222722.png

Step 10: To assign a role to a service account in GCP:

Locate the service account you want to assign a role to and click on "Add Key" button
Select "Basic" role and "Viewer" role
Click on "Continue" button
Click on "Done" button

This will assign the "Basic" and "Viewer" roles to the service account. This means that the service account will have the ability to view resources and perform basic actions within the project.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222752.png

Step 11: To select a service account in GCP:

This will take you to the details page for that service account, where you can view and manage its permissions and keys.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222905.png

Step 12: To create a new JSON key for a GCP project:

Go to the project's dashboard or Cloud Console and navigate to the "Credentials" page.
Click on "Add key" button
Select "Create new key"
Choose "JSON" as the key type
Click on "Create" button
The key will be downloaded to your system as a JSON file
Open the file and locate the "client_id" field. This will be used in the further process.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222934.png

Seceon Public Portal > Configuration of The G-Suite > image-20210211-222947.png

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223001.png

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223029.png

Step 13: Now click on save as shown below.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223107.png

Step 14: To access G Suite admin settings:

Open a web browser and go to https://admin.google.com/ac/home
Sign in with your G Suite administrator account
Click on the three horizontal lines icon in the top left corner
This will reveal a menu with additional options such as "Users", "Apps", "Devices" and "Settings".

This will allow you to access the G Suite admin settings, where you can manage users, apps, devices, and other settings for your G Suite domain.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223132.png

Step 15: To access the API controls in G Suite:

Go to https://admin.google.com/ac/home
Sign in with your G Suite administrator account
Click on the three horizontal lines icon in the top left corner
Select "Security" from the menu
Click on "API controls"

This will take you to the API controls page, where you can manage and monitor the usage of APIs in your G Suite domain. This includes setting access controls, tracking usage and enabling or disabling specific APIs.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223202.png

Step 16: Scroll down, click on -> Manage Domain wide delegation.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223251.png

Step 17: To configure G Suite Domain-wide Delegation:

Go to the "Add new" option
Enter the "Client ID" from the JSON file (as noted in step 12)
In the OAuth Scopes field, enter https://www.googleapis.com/auth/admin.reports.audit.readonly
Click on "Authorize" button

This will allow the service account to access G Suite domain-wide audit reports with read-only permissions.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223455.png

Step 18: To configure G Suite Gmail permission:

Go to the "Add new" option
Enter the "Client ID" from the JSON file
In the OAuth Scopes field, enter
Click on "Authorize" button

This will allow the service account to access Gmail data with read-only permission and access to user data, audit reports and user directory with read-only permissions.

Seceon Public Portal > Configuration of The G-Suite > image-20210211-223455.png

Step 19: To obtain the customer ID:

Follow the instructions provided in the documentation you have referred to.
Once you have the customer ID, open the JSON key file in a text editor such as Notepad or VS Code.
Modify the JSON key by adding the customer ID in the appropriate location as specified in the attached screenshot.
Save the file.
Upload the modified JSON key to the G Suite cloud configuration screen on the user interface.

This will allow you to use the JSON key with the customer ID for configuring G Suite services on the cloud.

Seceon Public Portal > Configuration of The G-Suite > image_2022_01_19T18_11_57_628Z-20220120-160136.png

Step 20: To configure G Suite on Seceon UI:

Go to Seceon UI -> Provisioning -> Google Configuration.
Select G-Suite and click on "Add" button
In the "Username" field, enter the email address associated with your G Suite account
In the "CCE IP" field, enter the IP address of your CCE
Browse and select the JSON file that you have downloaded and modified with customer ID (referenced in step 12)
Click on "Save" button

This will enable the Seceon UI to access the G Suite account using the provided JSON key and IP address.

Seceon Public Portal > Configuration of The G-Suite > G-Suit-20230116-234604.jpg

Verification of configuration

Verification of configuration can be done in two ways:

From the Collector-Syslog Server (CCE): This can involve logging into the CCE and checking the configuration settings, testing connectivity and functionality of the various components, and comparing the actual results against the expected or desired outcomes.
From the UI: This can involve logging into the user interface and checking the configuration settings, monitoring the logs and flows, and comparing the actual results against the expected or desired outcomes.

Both methods can be used to ensure that the system is properly configured and working as intended.

Using UI

STEP 1:Log in to UI >> SYSTEM

Seceon Public Portal > Configuration of The G-Suite > Screenshot 2023-01-16 185107-20230116-235210.jpg

STEP 2: >> Logs and flows collection status

Seceon Public Portal > Configuration of The G-Suite > G-suit-2-20230116-235253.jpg

STEP 3: >>To verify the source device IP from the UI:

Log in to the user interface
Navigate to the "SYSTEM" section
Look for the "SOURCE DEVICE IP"
Check the IP address that is displayed
Compare the IP address displayed against the expected source device IP

This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..

Seceon Public Portal > Configuration of The G-Suite > gsuo-20230116-235507.jpg