Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Google Workspace (Formerly G Suite and Google Apps)

Google Workspace (Formerly G Suite and Google Apps)

FortiSIEM Support added: 4.8.1 (as Google Apps Audit)

FortiSIEM last modification: 6.3.1

Vendor version tested: Not Provided

Vendor: Google

Product: Workspace (Formerly G Suite / Google Apps)

Product Information: https://workspace.google.com/

Note: Older rules and reports use "Google Apps" to reference "Google Workspace".

What is Discovered and Monitored

Protocol Logs Collected Used For
Google Apps Admin SDK Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Google_Apps" and "Google Workspace" in the Search field to see the event types associated with this device.

Rules

There are many rules defined in RESOURCES > Rules. Search for "Google Workspace" in the main content panel Search... field.

Reports

There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Google Apps" and "Google Workspace" in the main content panel Search... field.

Dashboard

A standard Google Apps Dashboard can be found by navigating to DASHBOARD, and selecting Google Apps Dashboard from the Dashboard drop-down list.

Activity Auditing Collected Services

The following services have Activity Auditing collected: Access Transparency, Admin, Chrome, Context-Aware Access, Currents, Data Studio, Enterprise Groups, Google Calendar, Google Chat, Google Cloud Platform, Google Drive, Google Groups, Google Keep, Google Meet, Jamboard, Login, Mobile, OAuth Token, Rules, SAML, and User Accounts.

Configuration

Create a Google Workspace Credential in Google API Console
  1. Logon to Google API Console (https://console.developers.google.com).
  2. Open the Select a project window and click NEW PROJECT.

  3. Under the New Project window:
    1. Project Name - enter a name.
    2. Click Create.
  4. Open the Select a project window and select the new project that you created in Step 2.
  5. Under Dashboard, click Enable API And Services to find the Admin SDK.
  6. Select Admin SDK and click Enable to activate the Admin SDK for this project.
  7. Create a Service Account for this project:
    1. Under Credentials, click Create Credentials > Service Account.
    2. Enter the server account name.
    3. Click Create.
    4. Choose Role as Project > Viewer.
    5. Click Continue>Done.
  8. Create key for the Service Account:
    1. Go to Navigation Menu> IAM &Admin>Service Accounts.
    2. Go to the Service Account table, choose the service account you create in Step 7.
    3. Click Actions > Create Key.
    4. Choose Key type as JSON.
    5. Click Create.
    6. A JSON file containing the Service Account credentials will be stored in your computer.
  9. Enable Google Workspace Domain-wide delegation:
    1. Go to Navigation Menu> IAM &Admin>Service Accounts.
    2. Go to the Service Account table and choose the service account you created in Step 7.
    3. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
    4. Check Enable G Suite Domain-wide Delegation.
    5. Enter FortiSIEM in the Product name for the consent screen.
    6. Click Save.
  10. View Client ID:
    1. Go to Navigation Menu> IAM &Admin>Service Accounts.
    2. Go to the Service Account table and choose the service account you created in Step 7.
    3. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
    4. You can find a Client ID.
  11. Delegate domain-wide authority to the service account created in Step 7.
    1. Go to your Google Workspace domain’s Admin console (https://admin.google.com).
    2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    3. Select Advanced settings from the list of options.
    4. Click Manage domain wide delegation in the Domain wide delegation section.
    5. Click Add new.
    6. In the Client ID field, enter the service account's Client ID you obtained in Step 10d.
    7. In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to:

      https://www.googleapis.com/auth/admin.reports.audit.readonly

    8. Click Authorize.
Define Google Workspace Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Google Google Apps
      Access Protocol Google Apps Admin SDK
      Account Name Enter the User Name (this is the account name to log in to the Admin console)
      Service Account Key Upload the JSON credential file (see Step 8f in Create a Google Workspace Credential in Google API Console).
      Organization The organization the device belongs to.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter "google.com" in the IP/Host Name field.
      2. Select the name of the credential created in Define Google Workspace Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.

    Sample Events for Google Workspace Audit

    Logon Success

    <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@example.net,[event.name]=login_success,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_success,1,45.79.100.103,
    Logon Failure

    <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:

    [eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,

    [id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_

    type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=2016-

    09-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,

    [event.type]=login,[actor.email]=api1@example.net,[etag]=""6KGrH_

    UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_

    type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_

    failure,1,45.79.100.103,

    Create User

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:

    [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,

    [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,

    [event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye,

    [id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS,

    [event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,

    [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_

    SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,

    Delete User

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.79.100.103,
    Move User Settings

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,[event.parameters.NEW_VALUE]=/,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

    Google Workspace (Formerly G Suite and Google Apps)

    Google Workspace (Formerly G Suite and Google Apps)

    FortiSIEM Support added: 4.8.1 (as Google Apps Audit)

    FortiSIEM last modification: 6.3.1

    Vendor version tested: Not Provided

    Vendor: Google

    Product: Workspace (Formerly G Suite / Google Apps)

    Product Information: https://workspace.google.com/

    Note: Older rules and reports use "Google Apps" to reference "Google Workspace".

    What is Discovered and Monitored

    Protocol Logs Collected Used For
    Google Apps Admin SDK Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Google_Apps" and "Google Workspace" in the Search field to see the event types associated with this device.

    Rules

    There are many rules defined in RESOURCES > Rules. Search for "Google Workspace" in the main content panel Search... field.

    Reports

    There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Google Apps" and "Google Workspace" in the main content panel Search... field.

    Dashboard

    A standard Google Apps Dashboard can be found by navigating to DASHBOARD, and selecting Google Apps Dashboard from the Dashboard drop-down list.

    Activity Auditing Collected Services

    The following services have Activity Auditing collected: Access Transparency, Admin, Chrome, Context-Aware Access, Currents, Data Studio, Enterprise Groups, Google Calendar, Google Chat, Google Cloud Platform, Google Drive, Google Groups, Google Keep, Google Meet, Jamboard, Login, Mobile, OAuth Token, Rules, SAML, and User Accounts.

    Configuration

    Create a Google Workspace Credential in Google API Console
    1. Logon to Google API Console (https://console.developers.google.com).
    2. Open the Select a project window and click NEW PROJECT.

    3. Under the New Project window:
      1. Project Name - enter a name.
      2. Click Create.
    4. Open the Select a project window and select the new project that you created in Step 2.
    5. Under Dashboard, click Enable API And Services to find the Admin SDK.
    6. Select Admin SDK and click Enable to activate the Admin SDK for this project.
    7. Create a Service Account for this project:
      1. Under Credentials, click Create Credentials > Service Account.
      2. Enter the server account name.
      3. Click Create.
      4. Choose Role as Project > Viewer.
      5. Click Continue>Done.
    8. Create key for the Service Account:
      1. Go to Navigation Menu> IAM &Admin>Service Accounts.
      2. Go to the Service Account table, choose the service account you create in Step 7.
      3. Click Actions > Create Key.
      4. Choose Key type as JSON.
      5. Click Create.
      6. A JSON file containing the Service Account credentials will be stored in your computer.
    9. Enable Google Workspace Domain-wide delegation:
      1. Go to Navigation Menu> IAM &Admin>Service Accounts.
      2. Go to the Service Account table and choose the service account you created in Step 7.
      3. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
      4. Check Enable G Suite Domain-wide Delegation.
      5. Enter FortiSIEM in the Product name for the consent screen.
      6. Click Save.
    10. View Client ID:
      1. Go to Navigation Menu> IAM &Admin>Service Accounts.
      2. Go to the Service Account table and choose the service account you created in Step 7.
      3. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
      4. You can find a Client ID.
    11. Delegate domain-wide authority to the service account created in Step 7.
      1. Go to your Google Workspace domain’s Admin console (https://admin.google.com).
      2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
      3. Select Advanced settings from the list of options.
      4. Click Manage domain wide delegation in the Domain wide delegation section.
      5. Click Add new.
      6. In the Client ID field, enter the service account's Client ID you obtained in Step 10d.
      7. In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to:

        https://www.googleapis.com/auth/admin.reports.audit.readonly

      8. Click Authorize.
    Define Google Workspace Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a new credential:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Google Google Apps
      Access Protocol Google Apps Admin SDK
      Account Name Enter the User Name (this is the account name to log in to the Admin console)
      Service Account Key Upload the JSON credential file (see Step 8f in Create a Google Workspace Credential in Google API Console).
      Organization The organization the device belongs to.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter "google.com" in the IP/Host Name field.
      2. Select the name of the credential created in Define Google Workspace Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.

    Sample Events for Google Workspace Audit

    Logon Success

    <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@example.net,[event.name]=login_success,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_success,1,45.79.100.103,
    Logon Failure

    <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:

    [eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,

    [id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_

    type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=2016-

    09-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,

    [event.type]=login,[actor.email]=api1@example.net,[etag]=""6KGrH_

    UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_

    type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_

    failure,1,45.79.100.103,

    Create User

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:

    [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,

    [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,

    [event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye,

    [id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS,

    [event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,

    [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_

    SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,

    Delete User

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.79.100.103,
    Move User Settings

    <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-user@example.org,[actor.email]=api1@example.net,[event.parameters.NEW_VALUE]=/,[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,