IBM QRadar

 View Only



LinkedIn Share on LinkedIn

IBM QRadar App for G Suite Integration

By JEFF RUSK posted Mon October 21, 2019 10:58 AM

  

IBM QRadar App for G Suite Integration

 

IBM QRadar App for G Suite integration (Early Access) is now available on the IBM Security App Exchange to retrieve audit events (suspension, creation, deletion of users, user license management, login behaviour) from G Suite’s Admin Reports API). This app contains a custom DSM and qidmap entries to ensure appropriate normalization of these incoming events for easy visibility and investigation for a SOC analyst.

Configuration on G Suite

The following configuration on G Suite enables QRadar to access the appropriate API’s to collect the data.  You will have a create a project in the G Suite domain you want to receive events from and create a service account associated with this project from the Google Cloud Platform (GCP) Console.  The service account JSON file created during this step will need to be accessible and uploaded to QRadar.  The Admin SDK API must be enabled for this service account as well as authorizing the specific API scope necessary for these queries

Configuration on QRadar

 

The following fields are required for configuration of G Suite Integration on QRadar, the Domain Name of the domain you want to obtain events from, the Delegated User Name that will be querying the events via the API, and the service account JSON file created above.

 

It is important to note here, that the Delegated User Name entered into QRadar is not the Service Account user id created in the above steps.  It is also essential that this delegated user name must have Report Access assigned to it in the Admin Roles and Privileges in GCP Console, as shown below;

 

The service account json file required must be saved to an accessible location during the G Suite configuration side, an example of this file is shown below:

 

With all the appropriate field configured correctly, QRadar can now collect events from G Suite integration.

 

Automatically create G Suite log source

 

Provided you have checked the “Create Log Source for domain” checkbox in the app’s UI as shown above, this will automatically create a G Suite type log source in QRadar to receive the requested events.  It is recommended that this is done as there is no autodiscovery associated with this G Suite Custom DSM.  However, it is an option as some users may an existing manually created log source with a log source extension that they want to work with.

 

Once you’ve clicked “Save Configuration” and see a successful indication that the log source has been created, Deploy Changes is required. After deploying changes, you can now see G Suite Admin Reports API events coming into QRadar and properly normalized.

 

G Suite Events

 

There are a number of events related to your G Suite accounts that will be made available to your SOC with this integration.  The creation, suspension, and deletion of users; data transfer requests, user license assignments and revocation; and the login behaviour of users.

 

 

Troubleshooting

 

For advanced users or those who want to dig a bit deeper into the workings of this app (and you have admin level back-end access of course), there is some relevant logging that may prove useful.  A first step of course is identifying the app id of this app.  This is done by running /opt/qradar/support/recon ps (on whatever system the app is installed, i.e. console or app host appliance).  For example, as follows:

 

[root@QRadarAppHost ~]# /opt/qradar/support/recon ps

App-ID Name                                                  Managed Host ID        Workload ID                Service Name  AB       Container Name         CDEGH Port            IJKL

1015    Experience Center                              54                    apps                            qapp-1015      ++        qapp-1015      +++++  5000    ++++

1006    IBM QRadar DNS Analyzer                              54                    apps                            qapp-1006      ++        qapp-1006      +++++  5000    ++++

1010    Incident Overview                              54                    apps                            qapp-1010      ++        qapp-1010      +++++  5000    ++++

1103    G Suite Integration                             54                    apps                            qapp-1103      ++        qapp-1103      +++++  5000    ++++

 

As you can see, in this case the app id for the G Suite Integration is 1103.  This allows you to go after the specific logs associated with this app.

 

The most important set of logs to first look at for this app would be the "/store/docker/volumes/qapp-<app_id>/log/collection_<domain_name>.log" file.  From here you can see there app requesting and gathering events from G Suite.  For example,

 

[root@QRadarAppHost log]# tail -f collection_XXXXXXXXXXXX.com.log

2019-09-20 08:45:10,167 [collection_ XXXXXXXXXXXX.com] INFO: [DOMAIN= XXXXXXXXXXXX.com, APP=login] - Started log collection thread.

2019-09-20 08:45:11,065 [collection_ XXXXXXXXXXXX.com] INFO: [DOMAIN=dataforwarding.com, APP=login] - Collected and sent 0 logs to X.X.X.X

2019-09-20 08:45:11,121 [collection_ XXXXXXXXXXXX.com] INFO: [DOMAIN= XXXXXXXXXXXX.com, APP=admin] - Collected and sent 4 logs to X.X.X.X

Summary

 

Our goal is to ensure that you can easily ingest and normalize events from your G Suite account.  Communication with Google G Suite’s Admin Reports API is not possible through existing protocol sources and Custom DSM capabilities.  However, this app makes it possible.  Expanding the scope of your SOC to include more Cloud-related data sources, such as these G Suite events, is an important element in keeping your organization secure and improving the visibility into Cloud users across your enterprise.

1 comment
29 views

Related Content

Permalink

Comments

Josh H
Wed October 30, 2019 06:57 PM

Thanks for this. I actually just started up with G Suite Enterprise again this past week.