Configuring the BlueApp for G Suite

Role Availability Read-Only Investigator Analyst Manager

After you configure the connection between the BlueApp for G Suite for a deployed USM Anywhere Sensor and your Google G Suite environment, the predefined log collection jobs perform scheduled queries for events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.. When USM Anywhere collects and analyzes the first of these events, the G Suite Audit and G Suite Drive dashboards are available in the Dashboard menu (according to the types of collected events).

Note: Currently, the BlueApp for G Suite supports the connection of one G Suite account per USM Anywhere Sensor. If you have more than one G Suite account that you want to monitor in USM Anywhere, you must configure each for a different sensor.

When configuring your BlueApp for G Suite, you have the option of configuring it to collect logs through BigQuery as well. Adding this additional log collection can provide you enhanced insight into your security posture with visibility into things like phishing attacks.

Important: If you choose to enable BigQuery log collection, you must complete all of the following BigQuery configuration steps. If you do not wish to enable BigQuery log collection, none of the BigQuery-related steps are necessary to configure your BlueApp for G Suite.

Set Up the Google Service Account

As a Google administrator, you must create a new project in your Google Developers Console and create a service account in the Google API Console to support server-to-server interactions. See Using OAuth 2.0 for Server to Server Applications for more information about server-to-server authentication in Google.

As you complete the following setup tasks, you must collect these items to complete the integration with the BlueApp for G Suite:

  • Client identification (Unique ID) for the service account
  • G Suite admin user email address
  • Private key file, which is saved to your computer when you create the service account and the key

Important: You must have administrative privileges to configure G Suite for integration with the BlueApp for G Suite. Ask your Google administrator for these privileges.

Service Account Creation

Create a service account according to the instructions in the G Suite Administrator Help page. Pay attention to these specifics:

  • In Step 2: Enable the APIs, enable the following:
    • Admin SDK
    • (BigQuery.) Gmail API
    • (BigQuery.) Groups Migration API
    • (BigQuery.) BigQuery API
    • (BigQuery.) BigQuery Connections API
    • (BigQuery.) BigQuery Data Transfer API

  • Step 3: Set up the OAuth consent screen is optional.

  • In Step 4: Create the service account, do the following:

    1. For key type, select P12 and then click Create (item 8 in the article).

      A dialog box opens informing you that the private key has been saved to your computer. It also displays the password for the private key.

    2. Copy the password and store it in a secure location.

Note: The following two steps are optional because this information will be configured automatically as you complete your BigQuery setup.

    1. (BigQuery.)In the Select a role section, select BigQuery from the drop-down list and then BigQuery Admin.

    2. (BigQuery.) In the Grant users access to this service account section, add
      gapps-reports@system.gserviceaccount.com.

Domain-Wide Authority Delegation

Follow the steps listed in the Delegating domain-wide authority to the service account section of Using OAuth 2.0 for Server to Server Applications.

In Step 5, enter the following OAuth scopes:

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.directory.domain.readonly

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/bigquery

Warning: Whether you are configuring BigQuery log collection or not, the BigQuery OAuth scope is required for your app to function.

Important: Adding the client and scopes in the G Suite console can be subject to a propagation time, which could be up to two hours. If you use the Check Connections tool for your G Suite platform in CloudMigrator, it may not be successful immediately.

Complete Your BigQuery Setup

If you are completing the optional BigQuery log collection enhancement to your BlueApp for G Suite, complete the following two tasks before proceeding with your AlienApp configuration.

Note: See Google's documentation for further details about the instructions below.

To create a dataset for your BigQuery log collection

  1. Navigate to BigQuery in your Google Cloud Platform (GCP) console, and then select SQL Workspace.

  2. Select the project you intend to use for this log collection, and then click Actions > Create Dataset.

  3. When prompted, enter a unique dataset ID.

  4. Click Save.

Grant Google Gmail access to your BigQuery log collection

  1. Navigate to Apps in your GCP console, and then go to Google Workspace > Settings for Gmail > Setup.

  2. Click Enable Email Logs in BigQuery.

  3. Use the drop-down list to select your project.

  4. Specify a unique name for your dataset.

  5. Click Save.

Connecting the BlueApp for G Suite

After you create the new service account in Google G Suite and enable the Admin Software Development Kit (SDK), you must configure the connection within USM Anywhere.

Important: Adding the client and scopes in the G Suite console can be subject to a propagation time, which could be up to two hours. The BlueApp for G Suite connection configuration might not be successful immediately if these resources are not yet accessible.

To enable the BlueApp for G Suite

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click Configure API.

  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp.

    BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.

  6. In the Service Client ID field, enter the unique identification (ID) for the Google service account you created.

  7. In the User Email field, enter the G Suite admin user email address.

    Note: The G Suite admin user is the account you use to sign in to your Google Admin console. You cannot use the email address of the service account created for this integration.

  8. (BigQuery.) Under BigQuery Project ID, enter the ID of the Google Cloud Platform (GCP) project you used to configure BigQuery.

  9. (BigQuery.) Under DataSet Name, enter the unique name you specified in Complete Your BigQuery Setup.

  10. (Optional.) Click Choose File to upload the P12 private key file for the Google service account you created.

    Enter the Google service account credentials and add the private key file

  11. Click Save.

BlueApp Log Collection

Once the BlueApp has been configured, you can choose to have USM Anywhere collect logs from the app on a regular basis.

To configure log collection for the BlueApp

  1. Go to Settings > Scheduler.
  2. In the Job Scheduler, search for the BlueApp on the sensor to which it was deployed.

  3. In the enabled column, click the icon for the inactive collection job.

    The icon turns green, and collection is enabled.

  4. (Optional.) Click the icon to customize the frequency of the event collection.