- Cloud Collectors Overview
- Administration
- Administrative Access
- Shareable Service Accounts
- Add Accounts for AWS Cloud Collectors
- Add Accounts for Cisco Duo Cloud Collector
- Add Accounts for Google Cloud Collectors
- Add Accounts for Microsoft Cloud Collectors
- Add Accounts for Okta Cloud Collectors
- Add Accounts for Salesforce Cloud Collectors
- Add Accounts for Splunk Cloud Collectors
- Add Accounts for Trend Micro Cloud Collectors
- Add Accounts for Wiz
- Define a Unique Site Name
- Sign Up for the Early Access Program
- Onboard Cloud Collectors
- Abnormal Security Cloud Collector
- AWS CloudTrail Cloud Collectors
- AWS CloudWatch Cloud Collector
- AWS S3 Cloud Collector
- AWS SQS Cloud Collector
- Azure Activity Logs Cloud Collector
- Azure Log Analytics Cloud Collector
- Azure Event Hub Cloud Collector
- Azure Storage Analytics Cloud Collector
- Box Cloud Collector
- Cato Networks Cloud Collector
- Cisco Duo Cloud Collector
- Cisco Meraki Cloud Collector
- Cisco Umbrella Cloud Collector
- Cloudflare Cloud Collector
- Cribl Cloud Collector
- CrowdStrike Cloud Collectors
- GCP Pub/Sub Cloud Collector
- Google Workspace Cloud Collector
- LastPass Cloud Collector
- Microsoft Defender XDR (via Azure Event Hub) Cloud Collector
- Microsoft Entra ID Context Cloud Collector
- Microsoft Entra ID Logs Cloud Collector
- Microsoft 365 Exchange Admin Reports Cloud Collector
- Supported Sources from Microsoft 365 Exchange Admin Reports
- Migrate to the Microsoft 365 Exchange Admin Reports Cloud Collector
- Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Troubleshooting the Microsoft 365 Exchange Admin Reports Cloud Collector
- Microsoft 365 Management Activity Cloud Collector
- Microsoft Security Alerts Cloud Collector
- Microsoft Sentinel (via Event Hub) Cloud Collector
- Mimecast Cloud Collector
- Netskope Alerts Cloud Collector
- Netskope Events Cloud Collector
- Okta Cloud Collector
- Okta Context Cloud Collector
- Palo Alto Networks Cortex Data Lake Cloud Collector
- Proofpoint On-Demand Cloud Collector
- Proofpoint Targeted Attack Protection Cloud Collector
- Recorded Future Cloud Collector
- Recorded Future Context Cloud Collector
- Rest API Cloud Collector
- Salesforce Cloud Collector
- SentinelOne Alerts Cloud Collector
- SentinelOne Cloud Funnel Cloud Collector
- SentinelOne Threats Cloud Collector
- SentinelOne Cloud Collector
- ServiceNow Cloud Collector
- Sophos Central Cloud Collector
- Splunk Cloud Collector
- STIX/TAXII Cloud Collector
- Symantec Endpoint Security Cloud Collector
- Trend Vision One Cloud Collector
- Vectra Cloud Collector
- Zscaler ZIA Cloud Collector
- Webhook Cloud Collectors
- Wiz Issues Cloud Collector
- Wiz API Cloud Collector
- Troubleshooting Cloud Collectors
Prerequisites to Configure the Google Workspace Cloud Collector
Before you configure the Google Workspace Cloud Collector you must complete the following prerequisites:
Make sure a person with G Suite super-admin rights is present when onboarding the Google Workspace Cloud Collector.
Verify your Google Workspace edition is either Business or Enterprise. Your G Suite administrator can verify the edition type in the Billing tab of the Google Apps admin console (https://admin.google.com). For more information about the Google Apps for Work editions go to: https://apps.google.com/intx/en/pricing.html.
Enable API access. This should be done by a G Suite administrator. The administrator can go to Security > API reference in the Google Apps admin console.
Prepare an authorization file for use during the collector configuration for Service account authentication, as a G Suite administrator. For more information, see Authorize the Google Workspace Cloud Collector to Retrieve Events, and Create a Service-Credentials-Json File for the Google Workspace Cloud Collector.
Authorize the Google Workspace Cloud Collector to Retrieve Events
For Service-Account authentication, a G Suite administrator will need to create a file (called Service-Credentials-Json) that authorizes the Google Workspace Cloud Collector (or anyone else who possess it) to communicate with the G Suite account and retrieve relevant logs, events and data for the security monitoring.
To create the Service-Credentials-Json JSON file, ask the G Suite administrator to follow the instructions mentioned here Create a Service-Credentials-Json File for the Google Workspace Cloud Collector .
Use your preferred secured method of transport to send the JSON file to the Exabeam Cloud Collectors administrator to configure the Google Workspace Cloud Collector.
Create a Service-Credentials-Json File for the Google Workspace Cloud Collector
If you use the service-account authentication method, you need to set up communication between the cloud collector and the G-Suite account. To facilitate communication and enable to retrieve audit events, you must create a service-credentials-json file.
Note
To use the service account you are required to have a Domain-Wide Delegation of Authority. Since you need this delegation of authority to read reports about admin activity, the user, whose authority is being used, must have super-admin privileges to view admin report activity and read user and groups information. The service account is still bound by the permissions granted and thus cannot perform any action other than read access on the specified scopes.
To create the JSON file, review the video or use the following workflow:
Log in to the Google Developers Console with an account that has super-admin permissions.
Create a new project by doing one of the following:
If you haven't used the Developers Console before, agree to the Google Cloud Platform Terms of Service. Then, click Create a project.
At the top of the screen next to your most recent project name, click the down arrow to open your projects list. Then, Create a new project.
Enter a project name and click Create.
Enable the Admin SDK API.
Each project uses its own set of APIs. For the Google Workspace Cloud Collector to be able to use the service-account authentication method, you must enable the Admin SDK API to the just added project.
ENABLE APIS AND SERVICES in the project context to display the API Library Search.
In the search field, enter
Admin SDK API.
Create the service account.
In the top-left corner of the console, click Menu.
Click IAM & Admin.
Click Create service account and in the Service account name field, enter a name for the service account.
Select the Furnish a new private key box and ensure the key type is set to JSON.
Select the Enable Domain-wide Delegation box and enter a name in the Product name for the consent screen field.
Click Create. You'll see a message that the service account JSON file has been downloaded to your computer.
Encrypt and send the JSON file to Exabeam Support using a secure transport method.
Click Close.
In the Options column, click the View Client ID link for the service account you have just created.
Copy the Client ID value. You will need this later.
Set the needed API permission scope.
Open the admin console.
Go to Security > Advanced settings > Manage API client access.
In the upper row, in the Client Name field, enter:
Under Client Name, insert the Client ID saved during the previous step (you can also see it in the JSON file created under client_id key).
Under the One or More API Scopes field, enter the below API scopes (copy and paste to keep the comma separation in place).
For Exabeam to only read events:
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.reports.usage.readonly,https://www.googleapis.com/auth/apps.alerts
You should see a screen similar to the below:
