IBM Qradar App for G Suite IBM
Total Page:16
File Type:pdf, Size:1020Kb
IBM QRadar App for G Suite IBM User Guide Version 1.0.0 Note: Before using this information and the product that it supports, read the information in “Notices” on page 9. Product information This document applies to IBM Security QRadar Security Intelligence Platform V7.3.0 and subsequent releases unless superseded by an updated version of this document. © Copyright IBM Corporation 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction to QRadar Application Extensions iv IBM QRadar App for G Suite 1 Supported Browsers for the IBM QRadar App for G Suite 1 Installing the App 2 Create a Service Account 3 Setting up the Service Account and Enable the APIs within G Suite (Google Apps) 9 Configure G Suite Domain in the App 11 Uninstalling the IBM QRadar App for G Suite 11 Notices Trademarks Terms and Conditions for Product Documentation IBM Online Privacy Statement © Copyright IBM Corp. 2019. iii Introduction to QRadar Application Extensions Administrators use IBM® Security QRadar® application extensions to add extra functionality to their existing QRadar deployment. Intended audience This guide is intended for QRadar users who download and install this application extension. This guide assumes that you have the relevant QRadar access permissions and a knowledge of your corporate network and networking technologies. Technical documentation To find IBM Security QRadar product documentation on the web, including all translated documentation, access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome). For information about how to access more technical documentation in the QRadar products library, see Accessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?rs=0&uid=swg21614644). Contacting customer support For information about contacting customer support, see the Support and Download Technical Note (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861). Statement of good security practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Please Note: Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. IBM Security QRadar may be used only for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of IBM Security QRadar. © Copyright IBM Corp. 2019. iv IBM QRadar App for G Suite The IBM QRadar App for G Suite enables communication so that you can forward G Suite audit events to QRadar for analysis. After the app connects to G Suite, it starts the event collection for configured domain. IBM QRadar App for G Suite is bundled with custom DSM and event mappings which enables QRadar to parse the data from G Suite the same way that it parses data from other sources and displays the data in the Log Activity tab. Pre-existing auto detection settings work as expected. The app is supported on QRadar V7.2.XXXXXX, V7.3.0, and V7.3.1. Supported Browsers for the IBM QRadar App for G Suite For the features in QRadar products to work properly, you must use a supported web browser. The following table lists the supported versions of web browsers. Web browser Supported versions Mozilla Firefox 45.9.0 ESR Google Chrome 58.0.3029.110 (64-bit) Safari 10.1.1 Microsoft Edge 42.17134.1.0 1 App Extension User Guide Installing the App Use the QRadar Extensions Management tool to install the app on your QRadar Console. About this task Note: The installation of apps does not void your IBM warranty for QRadar. You can use the IBM Security QRadar Extensions Management tool to install the app on your QRadar Console. Procedure 1. Open the Admin settings: a. In IBM Security QRadar V7.3.0 or earlier, click the Admin tab. b. In IBM Security QRadar V7.3.1, click the navigation menu icon (=), and then click Admin to open the admin tab. 2. In the System Configuration section, click Extensions Management. 3. In the Extensions Management window, click Add and select the app archive that you want to upload to the console. 4. Select the Install immediately check box. Important: You might have to wait several minutes before your app becomes active. What to do next When the installation is complete, refresh the browser window before you use the app. 2 App Extension User Guide G-Suite User minimum required privileges The user account only needs to have a role with Reports privilege to collect logs. Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. Create a Service Account Before you can configure the app, you must have a valid service account. Step 1: Create a project 1. Go to your G Suite domain’s Google Cloud Platform (GCP) Console and sign in with the User. Choose an option: a. If you haven't used the Console before, agree to the Terms of Service and click Create Project. b. If you have used Console before, at the top of the screen next to your most recent project name, click Down to open your projects list. Then, click New Project. 2. Enter a project name and click Create. Step 2: Create the service account 1. Select project name from project drop-down list. 2. In the top-left corner of the Google Cloud Platform (GCP) Console, click Menu . 3. Click IAM & Admin Service accounts. 4. Click Create Service Account and in the Service account name field, enter a name for the service account. 5. (Optional) Enter a description of the service account. 6. Click Create. 7. (Optional) Assign the role of Project to the new account. 8. Click Continue Create Key. 9. Ensure the key type is set to JSON and click Create. You'll see a message that the service account JSON file has been downloaded to your computer. 10. Make a note of the location and name of this file. You will need it later. 11. Click Close Done. 4 App Extension User Guide Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. 5 App Extension User Guide Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. 6 App Extension User Guide Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. 7 App Extension User Guide Step 3: Enable the APIs for the service account 1. In the top-left corner of the Admin console, click Menu and then APIs & Services and then Library. 2. For each API you require (see below), click the API name and then Enable. 3. Required API for QRadar IBM QRadar App for G Suite is Admin SDK. Tip: If you don't see the API, enter the API name in the search box. Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. Copyright 2018. Google LLC, used with permission. Google and the Google logo are registered trademarks of Google LLC. 8 App Extension User Guide Setting up the Service Account and Enable the APIs within G Suite By Super Admin Before configuring App, you must create Service Account and enable the APIs required for the QRadar IBM QRadar App for G Suite. Procedure An administrator of the G Suite domain must complete the following steps: 1. Go to your G Suite domain’s Admin Console. 2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain. 3. Select Show more and then Advanced settings from the list of options. 4. Select Manage API client access in the Authentication section. 5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page on Google Cloud Platform (GCP) Console OR you can also use Client ID from key file. 6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. Enter: https://www.googleapis.com/auth/admin.reports.audit.readonly 7.