If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

The goal of this guide is to add a new SkyFormation's Google Apps Cloud App Connector to your SkyFormation Platform.

Prerequisites

- For OAuth2 authentication (not required for service account) - Allow access to the entire *.skyformation.net addresses over SSL from the desktop
  which will be used by the Google Apps admin to on-board the SkyFormation Google Apps 
  connector (only needed for the on-boarding process)

  How to validate:

  (1) Open a browser
  (2) Go to https://auth.skyformation.net 
  (3) You should see be able to reach this URL and get the following message (403 status)

- Make sure your G Suite edition is either Business or Enterprise one 
  (should be done by a G Suite administrator)

  To validate this browse to the Google Apps admin console https://admin.google.com navigate to
  the Billing tab and look for the below indication:

For more about the Google Apps for Work editions go to:
https://apps.google.com/intx/en/pricing.html

- Enable API access
  (should be done by a G Suite administrator)

  At Google Apps admin console go to Security->API reference and mark the below option

- Actions to take based on the cloud connector "Authentication Method" you will choose

  The main differences between the two options is that with the "OAuth2" option a G Suite
  administrator will have to be involved interactively in the SkyFormation G Suite cloud connector
  onboard process. In the second option of "service-account" the G Suite administrator will be
  asked to prepare an authorization file and send the file to the SkyFormation admin.
  That authorization file will be used by the SkyFormation admin when onboarding the
  SkyFormation G Suite cloud connector.   

  (Authentication Method option I) "OAuth2"

                  Make sure a person with G Suite admin rights is present when onboarding the
                  SkyFormation G Suite cloud connector.

                  Explanation
                  The process of adding the connector involve an interactive action of authorizing the
                  SkyFormation G Suite cloud connector to communicate with the G Suite account and 
                  retrieve relevant logs, events and data for the security monitoring.

  (Authentication Method option II) "service-account"

                 A G Suite administrator will need to create a file (called "Service-Credentials-Json") 
                 which authorizes the G Suite cloud connector (or anyone else who possess it) 
                 to communicate with the G Suite account and retrieve relevant logs, events and data
                 for the security monitoring. 

                 To create the "Service-Credentials-Json" JSON file ask the G Suite administrator to
                 follow the instructions at [Creating a "Service-Credentials-Json" file].
                 
                 Send the JSON file created in a very secure way to the SkyFormation administrator
                 to be available at the G Suite cloud connector onboard process steps described
                 below.      

Steps

1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to "Settings" section

3. Navigate via New Settings left navigation panel to "Accounts" section

4. Click the "Add Account" bottom

5. At the "SELECT SERVICE TO ADD" choose "Google Apps Google" 

You will see the below screen:

5. Choose from the list the tenant to attach the connector to

    e.g. "default-tenant"

6. Fill in the following information:

    - Account Name
        Give this Google Apps connector a meaningful name for you. The will become your cloud app
        connector name displayed in the SkyFormation platform and added to entire events sent to
        your SIEM/Log/Splunk system as identifier. 

        e.g. "Corporate Google Apps platform"     

    - Description
      Add any text that describe the specific cloud app connector function and meaning for the 
      business.

      e.g. "Corporate email and file sharing platform using Google Apps"

6. Choose the "Authentication Method" you would like the connector to use

    "oauth2" / "service-account"

7.1 If you choose "oauth2" as the authentication method to use    

       - Authorize the cloud connector to communicate with the G Suite account
          (should be done by a G Suite administrator)

         Press the button 

        This will popup a new window with "Request for permission" ask the Google Apps super
        admin for permission to allow SkyFormation connector to integrate with the Google Apps
        application.

        If you are OK with the permissions requested by the connector

        Press on "Allow" to grant the permissions.

        Go to 8 when done

 7.2 If you choose "service-account" as the authentication method to use    

       You should see a screen similar to the following:

           - Fill in the Service-Credentials-Json

             Copy and paste the entire content of the JSON file created by the G suite
             administrator for the connector to here

           - Fill in the Admin-Username of a user with the following admin privileges: 
                Admin console privileges - Reports
                Admin API privileges - Organizational Units > Read, Users > Read, Groups > Read
            
  8. Test the settings correctness 

    Press the "TEST CONNECTION" button

    If you see a green OK sign appears as above you have completed the onboard successfully.

- Click "SAVE" button

9. Start the new connector

    When a new cloud connector is added its default state is STOPPED.

 To start it press its START button. 

DONE !