This document provides prerequisites and Expel Workbench on-boarding steps for G Suite.
|Items to be produced||Description|
|Admin Username||The admin username used to generate the service account. Only Admin accounts can access the Admin SDK reports API, so we need to impersonate the admin user via our service account.|
|Service Credentials JSON File||The credential file generated for the service account.|
|API Scopes||The permissions granted to the service account. This needs to be exactly what was provisioned in GSuite.|
Step 1: Provision Expel Service Account in G Suite
- Go to the Google Developers Console and sign in as a super administrator.
- Under IAM & Admin, click Manage Resources.
- Click Create Project.
Enter project details and click Create.
For this field Type this Project name Can be anything you want but we recommend "ExpelAPI". Organization The name of your organization. Location Typically the name of your organization. You can put it wherever makes the most sense, however.
- Each project uses its own set of APIs. For Expel to communicate with G Suite APIs, we need to enable the Admin SDK for the newly created project. Navigate to the newly created project.
- Search for Admin SDK and open.
Enable the Admin SDK for the new project.
- Create a Service Account for Expel Access. Navigate to Menu > IAM & admin > Service accounts.
- Click Create Service Account.
Fill in the service account details.
For this field Type this Service account name Can be anything but we recommend "ExpelAPI". Service account ID Can be anything but we recommend "ExpelAPI". Service account description Can be anything but we recommend "ExpelAPI".
- Click Done.
- In the IAM & Admin section, click Service Accounts. For the service account that relates to this integration, click the Actions button and then Manage keys. In the Add Key section, click create new key. Select JSON and click Create. After you click Create, a JSON file is downloaded. Keep this file in a safe place! It contains credentials for this service account.
Enable domain-wide delegation for the service account.
- Back on the Service Accounts screen, click Actions and then click Manage Details.
- Select Enable G Suite Domain-wide Delegation under Details section.
- After the service account is created, in the Details area, copy Unique ID.
- Grant the service account the required API permission scope.
- Open the G Suite admin console https://admin.google.com/ac/owl/domainwidedelegation
- Navigate to Security > API Controls > Manage Domain Wide Delegation.
- Click Add New.
- Client Name: The Client ID that we saved from our Service Account, in the earlier step.
API Scopes: You can copy and paste all, which are comma delimited or add the scopes individually.
https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.reports.usage.readonly
Scope for only retrieving organizational units:
Step 2: Configure GSuite in Workbench
Now that we have all the correct access configured and noted the credentials, we can integrate GSuite with Expel.
Register device in Expel Workbench
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, click Add Security Device.
- Search for and select G Suite.
- Fill in the following information.
- Select Expel Cloud Service for SIEM.
- Enter device Name and Location.
- For Admin username, enter the email address used to create the service account in Step 1.
- For Service Credentials JSON, enter the contents of the JSON file for the service account, generated in Step 1.
- For API scopes, enter the API Scopes from Step 1.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.