Connect WatchGuard Total MDR with Google Workspace

Applies To: WatchGuard Total MDR

If you have a WatchGuard Total MDR license, to enable WatchGuard MDR to monitor your Google Workspace account endpoints, you must configure a connection from your Google Workspace environment to WatchGuard.

To connect WatchGuard MDR and your Google Workspace environment, complete these steps:

  1. Enable the Google Admin SDK API
  2. Create a Google Service Account
  3. Create an API Key
  4. Add the Client ID with OAuth Scopes
  5. Add the Integration in the Managed Services Portal

Enable the Google Admin SDK API

The WatchGuard MDR integration uses the Google Admin SDK API to connect to your Google Workspace. Before you configure the connection, you must enable the Google Admin SDK API.

To enable the Google Admin SDK API:

  1. Go to the Google Cloud Platform console at https://console.cloud.google.com/ and log in with a Super Admin account.

Screen shot of Google Cloud Platform console menu

  1. From the console menu, select APIs & Services > Library.
    The API Library page opens.

Screen shot of Google Cloud Platform API Library page

  1. In the search box, search for admin sdk.
  2. From the search results, select Admin SDK API.
    The Admin SDK API page opens.

Screen shot of Google Workspace Admin SDK API dialog box

  1. Click Enable.
    The API Library page opens.
  2. In the search box, search for alert center api.
  3. From the search results, select Alert Center API.
    The Google Workspace Alert Center API page opens.

Screen shot of Google Workspace Alert Center API dialog box

  1. Click Enable.

Create a Google Service Account

For WatchGuard MDR to authenticate to your Google Workspace environment, you must create a Google Service Account.

To create a Google Service Account:

  1. Go to the Google Cloud Platform console at https://console.cloud.google.com/ and log in with a Super Admin account.
  2. From the console menu, select IAM & Admin > Service Accounts.
    The Service Accounts page opens.

Screen shot of Google Workspace Service Accounts page

  1. Click Create Service Account.
    The Create Service Account page opens.
  2. Enter a Name and Description for the account. Click Create and Continue.
  3. From the Permissions section, assign the Service Account Token Creator role. Click Done.

Screen shot of Google Workspace Service Accounts page

  1. From the Service Account Details page, click the new account.
  2. Copy the Oauth2 Client ID to use later in these instructions.

Create an API Key

For WatchGuard MDR to authenticate to your Google Workspace environment, you must also create an API key.

To create an API key:

  1. Go to the Google Cloud Platform console at https://console.cloud.google.com/ and log in with a Super Admin account.
  2. From the console menu, select IAM & Admin > Service Accounts.
    The Service Accounts page opens.

Screen shot of Google Workspace Service Accounts page

  1. Next to the service account you created, click .
  2. Select Manage Keys.

Screen shot of Google Workspace Service Accounts Keys tab

  1. In the Keys tab, from the Add Key menu, select Create New Key.
    The Create Private Key pane opens.

Screen shot of Google Workspace Service Accounts Create Private Key dialog box

  1. Select JSON.
  2. Click Create.
    Your computer downloads the private key JSON file. Keep this file in a secure location in your local environment.
  3. Click Close.
  4. Return to the Service Accounts page.
  5. Next to the service account, click .
  6. Click Manage Details.
    The Service Account Details page opens.

Screen shot of Google Workspace Service Account Details page

  1. Copy the Unique ID to use later in these instructions.

Add the Client ID with OAuth Scopes

To add the client ID with OAuth Scopes:

  1. Go to the Google Admin console at https://admin.google.com/ac/home and log in with a Super Admin account.
  2. From the console menu, select Security > API Controls > Domain-wide Delegation.
    The API Clients page opens.

Screen shot of Google Admin API Controls Domain-wide Delegation page

  1. Click Add New.
    The Add a New Client ID page opens.
  2. Enter the Unique ID you copied from the Create a Google Service Account section.
  3. Enter the OAuth Scopes for the connector:
    1. For Alert reports, type: https://www.googleapis.com/auth/apps.alerts
    2. For Application reports, type: https://www.googleapis.com/auth/admin.reports.audit.readonly
  4. Click Authorize.

Add the Integration in the Managed Services Portal

To add the integration:

  1. In WatchGuard Cloud, select Monitor > Managed Services.

    The Managed Services portal opens in a new browser tab.
  2. If you are a Service Provider, select your Subscriber account from the drop-down list.
  3. In the upper, right corner of the Managed Services portal, click Screenshot of the gear icon.
  4. From the drop-down list, select Onboarding.
  5. From the navigation menu, select Integrations.
    The Integrations page opens.

Screen shot of MDR portal Cloud Integrations page

  1. Click Add Service > G Suite.
    The G Suite tab opens.

Screen shot of MDR portal Google Workspace integration settings

  1. In the Google Admin Email text box, type the primary email address associated with your Google Workspace environment.

    2. Do not use the Service Account email address. You must use the primary email address for your environment or the connection will fail.

  1. In the Private Key JSON File Content text box, copy and paste the contents of the JSON file you saved in Create an API Key.
  2. (Optional) In the Label text box, type a unique name for the integration.
  3. Click Add.

Related Topics

About Managed Services with WatchGuard MDR