You can integrate Google Workspace with Sophos Central so that the service sends alerts to Sophos for analysis. For a list of alerts you can receive from Google Workspace, see View alert details.
This integration is API-based.
The key steps are as follows:
- Enable the Google Workspace Alert Center API.
- Create a service account and key.
- Enable domain-wide delegation and OAuth scope.
- Add a Google Workspace integration in Sophos Central.
Enable the Google Workspace Alert Center API
Go to the Google Cloud console and select your project.
Alternatively, to create a new one, go to https://console.cloud.google.com/projectcreate.
In your project, enable the Google Workspace Alert Center API as the Alert API.
To find this setting, search for "Google Workspace Alert Center API" in the search bar and click Enable.
You're redirected to the APIs & Services page. Next, you create a service account and key.
Create a service account and key
To create a service account and key, do as follows:
On the APIs & Services page, select Credentials on the left.
Click Create Credentials and select Service Account.
In the Service account details, provide a Service account ID to identify the account, and click Create and Continue. Click Done to create the account.
To create JSON details for the service account, you must create a key. Click the service account ID you created previously and go to the Keys tab.
Click Add key and select Create new key.
In the pop-up dialog, select JSON and click Create.
JSON details for the service account are automatically downloaded to your computer. Keep them safe and secure.
Enable domain-wide delegation
You must get your Client ID and authorize domain-wide delegation to your service account. This includes adding the OAuth scope to the account.
Follow the steps below or see the latest Google instructions in Set up domain-wide delegation for a service account.
To set up domain-wide delegation of authority for a service account, do as follows:
- In the Google Cloud console, go to Menu > IAM & Admin > Service Accounts.
- Select your service account.
- Click Show advanced settings.
- Under Domain-wide delegation, find your service account's Client ID. Click Copy to copy the client ID value to your clipboard.
If you have super administrator access to the relevant Google Workspace account, click View Google Workspace Admin Console, then sign in with a super administrator user account. Continue to the next step.
If you don't have super administrator access, contact a super administrator for that account and send them your service account's Client ID and list of OAuth Scopes so they can complete the remaining steps. When they finish, you can add the integration in Sophos Central. See Add an integration.
In the Google Admin console, go to Menu > Security > Access and data control > API controls.
- Click Manage Domain-Wide Delegation.
Click Add new and do as follows:
- In the Client ID field, paste the client ID you copied previously.
- In the OAuth Scopes field, enter
- Click Authorize.
For delegated user email, add the email address of the user that you want to delegate for API calls.
This should be the admin email address for the domain. You'll need this when you add the integration in Sophos Central.
Next, you add an integration in Sophos Central.
Add an integration
To integrate Google Workspace with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
Click Google Workspace.
If you've already set up integrations of this type, you see them here.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, you configure an API to collect data from Google Workspace.
- Enter a name and a description for the integration.
In Client E-mail, enter the email address from the
client_emailfield in the JSON file you downloaded.
This email address ends with
gserviceaccount.com. Don't enclose it in quotation marks.
In User E-mail, enter the same email address you used for delegated user email (the admin email address for the domain).
In Private Key, enter the key from the
private_keyfield in the JSON file you downloaded.
Enter everything, including the lines
---------BEGIN PRIVATE KEY-----and
-----END PRIVATE KEY--. Don't enclose it in quotation marks.
We create the integration, and it appears in your list.
If your integration shows as Connected, your data should appear in the Sophos Data Lake after validation.