Email Infrastructure, IAM and Audit Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Email Infrastructure, IAM and Audit Logs

      Google Workspace

      Onboard the Google Workspace data connector.

      Overview

      Radiant Security needs to establish a trusted relationship with your Google Workspace account in order to retrieve email activity, authentication activity, and user and group IAM information.

      To do this, you’ll need to onboard Google Workspace by completing the following:

      At the end of this configuration, you will provide Radiant Security with the following information:

      • BigQuery Project ID
      • BigQuery Dataset Name
      • Delegate User Email
      • API key (in JSON file format)

      License Requirements

      To collect email activity logs, the account will need to have one of the following Google Workspace plans:

      • Enterprise
      • Education Standard
      • Education Plus

      To verify your current license plan, visit https://admin.google.com/ac/billing/subscriptions from an account with admin-level access.

      Prerequisites

      To complete the steps below, the logged-in user must have the following permissions/roles:

      • Role: Super Administrator
      • Role: roles/resourcemanager.projectIamAdmin
      • Permission: resourcemanager.projects.create

      Create a new project in Google Cloud

      1. Access the Google Cloud console.  

      2. On the Select organization drop-down list at the top of the page, click New project to create a new project.

      a. Project name: {customer name}-workspace-logs

      		 Create Project

       
      3. Ensure other fields are correctly defined.   
      4. Copy the Project ID.  
      5. Click Create.  
      6. Select the newly created project from the drop-down list at the top of the page. Screenshot 2023-03-29 at 2.48.20 PM

       
      7. From the left side menu, navigate to APIs & Services > Library and enter Admin SDK API in the search bar. Alternatively, you can use the top search bar to navigate to the Library page.
      8. Select Admin SDK API and click Enable.
       9. Return to the Library (APIs & Services > Library) and search for Cloud Identity.
      10. Select Cloud Identity and click Enable.
      11. Return to the Library (APIs & Services > Library) and repeat the same steps to search and enable the following: Gmail API, Google Calendar API and Google Workspace Alert Center API.
       12. From the left side menu, navigate to APIs & Services > OAuth Consent Screen
      13. Select Internal and click Create.

      14. Define the app with the following fields:

      a. App name: radiant-security-workspace-logs

      b. User support email: <select the appropriate user>

      c. Developer contact email address: <select the appropriate user>

      15. Click Save and Continue on the following pages.

      Create a new service account

      You must provide a dedicated Service account in your Google Cloud to ingest the data. The service account should have the permission(s) required to read the data you want to feed into Radiant Security.

      1. While still in the Google Cloud console, navigate to IAM & Admin > Service Accounts. Alternatively, you can use the top search bar to navigate to the Service Accounts page.

      2. Click + Create service account and add the following information:

        1. Service account name: radiant-security-connector

      3. Click Create and Continue.

      4. In step 2, Grant this service account access to project, use the drop-down to assign the following roles to your service account. You’ll need to click + Add another role to add multiple roles:

        • BigQuery Data Viewer
        • BigQuery Read Session User

      5. Click Done to save the user.

      6. Click on the newly created service account radiant-security-connector to edit it.

      7. Navigate to Keys > + Add key > Create new key.

      8. Select JSON and then click Create.

      9. The API key is automatically downloaded.

      Note: Your new public/private key pair is generated and downloaded to your machine as a new file. This file is the only copy of this key. This file will be uploaded to Radiant Security at the end of the guide. For information about how to store your key securely, see Managing service account keys.

      Grant access to the service account

      To call APIs in a Google Workspace, the new service account needs to be granted domain-wide delegation of authority in the Google Workspace Admin console by a super administrator account. For more information, see Delegating domain-wide authority to a service account.

      1. On the Service Accounts page, click on the newly created service account radiant-security-connector to edit it.
      2. On the Details tab, expand Advanced settings section and copy the Client ID.
      3. Click View Google Workspace Admin Console.
      4. From the left side menu, navigate to Security > Access and data control > API Controls.
      5. Click Manage Domain-wide Delegation.
      6. Click Add new and paste the Client ID you copied from step 2.
      7. In the OAuth Scopes field, copy and paste the following permissions:
        https://www.googleapis.com/auth/admin.directory.domain.readonly,
        https://www.googleapis.com/auth/admin.directory.group.readonly,
        https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
        https://www.googleapis.com/auth/admin.directory.user.readonly,
        https://www.googleapis.com/auth/admin.reports.audit.readonly,
        https://www.googleapis.com/auth/admin.reports.usage.readonly,
        https://www.googleapis.com/auth/gmail.settings.basic,
        https://www.googleapis.com/auth/apps.alerts,
        https://www.googleapis.com/auth/bigquery,
        https://www.googleapis.com/auth/gmail.readonly,
        https://www.googleapis.com/auth/gmail.modify, 
        https://mail.google.com/,
        https://www.googleapis.com/auth/calendar.readonly,
        https://www.googleapis.com/auth/calendar.events.readonly
      8. Click Authorize.     

      Note: The two write permissions support automated remediation tasks in Radiant Security:

      • Delete found e-mails from the users’ mailbox (hard delete) https://mail.google.com/
      • To delete found e-mails from the users’ mailbox (soft delete) https://www.googleapis.com/auth/gmail.modify

      Enable BigQuery export

      1. Log in to the Google Admin console.
      2. From the left side menu, navigate to Reporting > Data Integrations > BigQuery Export.
      3. Click on the export box and fill the required fields:
        1. Project ID: {customer name}-workspace-logs
        2. In the New dataset within project field, enter a name for the dataset: google_workspace_log
      4. Click Save.

      Create a Google Workspace read-only admin role

      1. Log in to the Google Admin console.
      2. From the left side menu, navigate to Account > Admin Roles.
      3. Click on Create new role.
      4. Give the role the name Radiant Security Read Only and select Continue.
      5. Select the following privileges:
        • Organizational Units -> Read
        • Users -> Read
        • Groups -> Read
        • Alert Center -> View Access
        • Reports
      6. On the review screen, verify that all permissions are present and click Create Role.Untitled
      7. On the roles page for the new role, use the Assign members button to assign this role to a service account that will be used for the Radiant Security Delegate User Email.

      Add the data connector in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, select Settings > Data Connectors.
      3. Click + Add Connector.
      4. From the list of connectors, select Google Workspace.
      5. Add the following values from the previous steps:
        • BigQuery Project ID: {customer name}-workspace-logs
        • BigQuery Dataset Name: google_workspace_log
        • Delegate User Email: The service account that has the Radiant Security Read Only admin role
        • Upload the JSON File
      6. Click Add Connector to save the connector configuration.

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-08-23