If you’re having trouble at any stage please contact us at support@skyformation.com.

Preface

The goal of this guide is to add a new SkyFormation’s Google Apps Cloud App Connector to your SkyFormation Platform.

Prerequisites

• For OAuth2 authentication (not required for service account) - *Allow access to the entire .skyformation.net addresses over SSL from the desktop which will be used by the Google Apps admin to on-board the SkyFormation Google Apps connector (only needed for the on-boarding process)
  
  How to validate:

(1) Open a browser  
(2) Go to https://auth.skyformation.net  
(3) You should see be able to reach this URL and get the following message (403 status)

• Make sure your G Suite edition is either Business or Enterprise one  
    (should be done by a G Suite administrator)

To validate this browse to the Google Apps admin console https://admin.google.com navigate to the Billing tab and look for the below indication:

For more about the Google Apps for Work editions go to: https://apps.google.com/intx/en/pricing.html

• Enable API access  (should be done by a G Suite administrator)

At Google Apps admin console go to Security->API reference and mark the below option

• Actions to take based on the cloud connector “Authentication Method” you will choose : The skyformation Google Apps connector supports two authentication methods: OAuth2 and service account. The main differences between the two options is that with the " OAuth2" option a G Suite administrator will have to be involved interactively in the SkyFormation G Suite cloud connector onboard process. In the second option of " service-account" the G Suite administrator will be asked to prepare an authorization file and send the file to the SkyFormation admin. That authorization file will be used by the SkyFormation admin when onboarding the SkyFormation G Suite cloud connector.

Authentication Method option I - " OAuth2"

Make sure a person with G Suite admin rights is present when onboarding the SkyFormation G
Suite cloud connector.

Explanation The process of adding the connector involves an interactive action of authorizing the SkyFormation G Suite cloud connector to communicate with the G Suite account and retrieve relevant logs, events and data for the security monitoring.

Authentication Method option II  - " service-account"

A G Suite administrator will need to create a file (called " Service-Credentials-Json")  which authorizes the G Suite cloud connector (or anyone else who possess it) to communicate with the G Suite account and retrieve relevant logs, events and data for the security monitoring.

To create the " Service-Credentials-Json" JSON file ask the G Suite administrator to follow the instructions at [Creating a “Service-Credentials-Json” file].

Send the JSON file created in a very secure way to the SkyFormation administrator to be available at the G Suite cloud connector onboard process steps described below.

Gmail Logs (Optional)

1. Set up Gmails logs in BigQuery
2. Create a service account in the BigQuery project created
3. Assign the BigQuery Data Viewer and the BigQuery Job User roles to the service account (GCP console > select project -> IAM > select service account > edit permissions )
   
4. Create a JSON key for the service account

Steps

1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to " Settings" section

3. Navigate via New Settings left navigation panel to " Accounts" section

4. Click the “Add Account” bottom

5. At the “SELECT SERVICE TO ADD” choose “Google Apps Google” 
   You will see the below screen:
   
   

6. Choose from the list the tenant to attach the connector to e.g. “default-tenant”

7. Fill in the following information: 
   - **Account Name** - Give this Google Apps connector a meaningful name for you. The will become your cloud app connector name displayed in the SkyFormation platform and added to entire events sent to your SIEM/Log/Splunk system as identifier. e.g. “Corporate Google Apps platform”
   - **Description** - Add any text that describe the specific cloud app connector function and meaning for the business. e.g. “Corporate email and file sharing platform using Google Apps”

8. - Choose the “Authentication Method” you would like the connector to use “oauth2” / “service-account”. 

   1. If you choose " oauth2" as the authentication method to use , Authorize the cloud connector to communicate with the G Suite account (should be done by a G Suite administrator) 
      
      Press the button
      
      This will popup a new window with “Request for permission” . Ask the Google Apps super admin for permission to allow SkyFormation connector to integrate with the Google Apps application. If you are OK with the permissions requested by the connector Press on “Allow” to grant the permissions. 
      Go to 9 when done.

   2. If you choose " service-account" as the authentication method to use you should see a screen similar to the following:- Fill in the Service-Credentials-Json : Copy and paste the entire content of the JSON file created by the G suite administrator for the connector to here
      - Fill in the Admin-Username of a user with the following admin privileges: 
      Admin console privileges-Reports
      Admin API privileges
      Organizational Units > Read, Users > Read, Groups > Read
      
      Endpoint Gmail Logs (optional)
      
      Service-Credentials-Json - BigQuery service account JSON key
      BigQuery Dataset Name - BigQuery dataset name
      Initial Sync - Hours From Now - number of hours in the past for the initial sync

9. Test the settings correctness:
   Press the “TEST CONNECTION” button
   If you see a green OK sign appears as above you have completed the onboard successfully!

10. Click “SAVE” button

11. Start the new connector

When a new cloud connector is added its default state is STOPPED.

To start it press its START button.

DONE !