Splunk® Supported Add-ons

Splunk Add-on for Google Workspace

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure your Google Cloud Service account

Google Cloud Platform general prerequisites

In order to ingest Google Workspace data into your Splunk platform deployment, you must complete the following prerequisites:

  1. Create a new project in your Google Cloud Platform deployment.
  2. Create a Google Cloud Service account from the Google Developers Console. For more information, see Using OAuth 2.0 for Server to Server Applications topic in the Google Identity manual.

Multiple domain support

The Splunk Add-on for Google Workspace allows a Splunk administrator to collect Google Workspace audit events from different domains. This allows a central visibility on customer GWS accounts which needs to be centrally monitored.

In order to use the multiple domain monitoring feature for domains associated with an organization, create a Google Cloud Service account for each domain you want to monitor and then use these service accounts to Configure the Splunk Add-on for Google Workspace.

Asset and Identity framework support

The Splunk Add-on for the Google Workspace lets a Splunk administrator integrate users' identity events to the Asset and Identity (A&I) framework. Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. In order to use the A&I framework, installation of the Splunk Enterprise Security is required. For the complete installation guide, see the Install Splunk Enterprise Security in a search head cluster environment topic in the Splunk Enterprise Security manual.

Currently supported through the "Custom event type integration. The following eventtype has been configured in the Splunk Add-on for Google Workspace: gws_users_identity.

For information on formatting your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security, see the Format an asset or identity list as a lookup in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.


Google Workspace activity report prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Admin SDK API. Select the Admin SDK API.
  4. In Admin SDK API, click the Enable button to enable the Admin SDK API.
    Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, click Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and click Create and Continue
    2. (Optional) Grant your service account access to a project.
    3. Click Continue.
    4. (Optional) Grant users access to your service account.
    5. Click Done.
  8. In Credentials, navigate to your new service account name, and click on your new service account name.
  9. In the Service account details page for your new service account, perform the following steps:
    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID

    2. Navigate to the Keys tab.
    3. Click Add Key > Create new key.
    4. Select the JSON key type.
    5. Click Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.
    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  10. Navigate to admin.google.com
  11. Log in to your administrator Google account
  12. On the Google Admin home page, navigate to Security > API controls.
  13. In API Controls, navigate to Domain wide delegation, and click Manage Domain Wide Delegation.
  14. In Manage Domain Wide Delegation, click Add new to add a new client ID.
  15. In the Add a new client ID window, perform the following steps:
    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/admin.reports.audit.readonly scope for the service account. This gives read-only access when retrieving an activity report.
      For more information, See the Google Cloud storage APIs & Reference and Getting Endpoints Quickstart documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.
    3. Click Authorize.

Gmail headers prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the BigQuery API. Select the BigQuery API.
  4. In BigQuery API, click the Enable button to enable the BigQuery API.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, click Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and click Create and Continue
    2. (Optional) Grant your service account access to a project.
    3. Click Continue.
    4. (Optional) Grant users access to your service account.
    5. Click Done.
  8. In Credentials, navigate to your new service account name, and click on your new service account name.
  9. In the Service account details page for your new service account, perform the following steps:
    1. Navigate to the Keys tab.
    2. Click Add Key > Create new key.
    3. Select the JSON key type.
    4. Click Create.
    5. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

  10. Go back to the "Details" tab and copy the service account email
  11. Navigate to IAM
  12. Click Add
  13. Paste service account email into New principals field
  14. Click Select a role
  15. Type BigQuery Job User
  16. Click on BigQuery Job User
  17. Click Save
  18. Navigate to admin.google.com
  19. Go to Apps > Google Workspace > Gmail
  20. Click Setup
  21. Click Email Logs in BigQuery
  22. Click Enable
  23. In Select the BigQuery project to use find a Google Cloud project where service account was created
  24. You can optionally specify a different name of the dataset under Specify the name for a new dataset to be created within your project. Later you can configure this dataset name during the input configuration steps.
  25. Click Save
  26. Navigate to console.cloud.google.com
  27. Search for BigQuery in the search bar and click BigQuery
  28. On the left side of the screen you should see the Google Cloud project, click on it.
  29. Click on View actions > Open (three dots) near gmail_logs_dataset. By default, you may see something else depending on the name you chose in the previous step.
  30. Click on Sharing > Permissions
  31. Click on Add principal
  32. Paste service account email into New principals field
  33. Click Select a role
  34. Type BigQuery Data Viewer
  35. Click on BigQuery Data Viewer
  36. Click Save

Google Workspace user identity report prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Admin SDK API.
  4. Select the Admin SDK API.
  5. In Admin SDK API, click the Enable button to enable the Admin SDK API.
    Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  6. Navigate to APIs and Services > Credentials.
  7. In Credentials, click Create Credentials > Service account.
  8. In Create service account, perform the following steps:
    1. Name your service account, and click Create and Continue
    2. (Optional) Grant your service account access to a project.
    3. Click Continue.
    4. (Optional) Grant users access to your service account.
    5. Click Done.
  9. In Credentials, navigate to your new service account name, and click on your new service account name.
  10. In the Service account details page for your new service account, perform the following steps:
    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID

    2. Navigate to the Keys tab.
    3. Click Add Key > Create new key.
    4. Select the JSON key type.
    5. Click Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.
    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  11. Navigate to admin.google.com
  12. Log in to your administrator Google account
  13. On the Google Admin home page, navigate to Security > API controls.
  14. In API Controls, navigate to Domain wide delegation, and click Manage Domain Wide Delegation.
  15. In Manage Domain Wide Delegation, click Add new to add a new client ID.
  16. In the Add a new client ID window, perform the following steps:
    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/admin.directory.user.readonly scope for the service account. This gives read-only access when retrieving the user identity.
      For more information, See the Google Cloud storage Directory API: User Accounts and Admin SDK:Directory API documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.
    3. Click Authorize.

Google Workspace Alert Center prerequisites

Perform the following steps to set up Google Workspace credentials on your Google console:

  1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
  2. Navigate to APIs and Services > Library.
  3. Search for the Google Workspace Alert Center API. Select the Google Workspace Alert Center API.
  4. In Google Workspace Alert Center API, click the Enable button to enable the Google Workspace Alert Center API.
    Making calls to this API lets you view and manage resources such as user, groups, and audit and usage reports of your domain.
  5. Navigate to APIs and Services > Credentials.
  6. In Credentials, click Create Credentials > Service account.
  7. In Create service account, perform the following steps:
    1. Name your service account, and click Create and Continue
    2. (Optional) Grant your service account access to a project.
    3. Click Continue.
    4. (Optional) Grant users access to your service account.
    5. Click Done.
  8. In Credentials, navigate to your new service account name, and click on your new service account name.
  9. In the Service account details page for your new service account, perform the following steps:
    1. Navigate to the Unique ID, and copy the contents of the Unique ID.

      This is also your Client ID

    2. Navigate to the Keys tab.
    3. Click Add Key > Create new key.
    4. Select the JSON key type.
    5. Click Create.
    6. Save the key type JSON file to your selected directory.

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. You are responsible for storing it securely.

    7. Navigate to the Permissions tab.
    8. Navigate to the user name email address that has Owner permissions. Copy the email address.
  10. Navigate to admin.google.com
  11. Log in to your administrator Google account
  12. On the Google Admin home page, navigate to Security > API controls.
  13. In API Controls, navigate to Domain wide delegation, and click Manage Domain Wide Delegation.
  14. In Manage Domain Wide Delegation, click Add new to add a new client ID.
  15. In the Add a new client ID window, perform the following steps:
    1. In the Client ID field, paste the Unique ID that you copied from the Service account details page.
    2. In the OAuth scopes (comma-delimited) field, add the https://www.googleapis.com/auth/apps.alerts scope for the service account. This gives read-only access when retrieving an activity report.
      For more information, See the Google Cloud storage APIs & Reference and Getting Endpoints Quickstart documentation. See the Authorize Requests topic in the Google Workspace Admin SDK manual.
    3. Click Authorize.
Last modified on 12 April, 2024
PREVIOUS
Install the Splunk Add-on for Google Workspace 		  NEXT
Configure the Splunk Add-on for Google Workspace

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters