About ThreatSync+ Cloud Integration — Google Workspace

Applies To: ThreatSync+ SaaS

ThreatSync+ SaaS enables you to monitor user activity from third-party Software as a service (SaaS) and cloud environments, such as Google Workspace. ThreatSync+ SaaS integrates with Google Workspace to collect user activity logs from Google Workspace to monitor, respond to, and report on, anomalous user activity and logins by authorized and unauthorized users. The Google Workspace integration provides secure, read‑only access to audit logs and security alert data through Google Workspace APIs and a Google service account with domain‑wide delegation to collect security telemetry.

The integration process includes these steps:

  • Enable the required Google Workspace APIs in a Google Cloud project
  • Create a Google service account and generate a private key
  • Grant domain‑wide delegation to the service account in the Google Admin console
  • Upload the service account credentials to ThreatSync+

ThreatSync+ SaaS for Google Workspace includes:

  • Defense controls in two main categories:
    • Exfiltration by an Internal Actor
    • Suspicious Access Behavior
  • Google Workspace Defense Goal Report
  • Google Workspace user activity monitoring
  • Google Workspace policy alerts

For more information, go to these sections:

Licensing

To use ThreatSync+ SaaS, you must purchase and activate a ThreatSync+ SaaS license or a Total NDR license. ThreatSync+ SaaS is licensed for each user.

For more information about licensing, go to About ThreatSync+ SaaS Licenses and About Total NDR Licenses.

Reports

Reports are a critical part of monitoring your organization for threats. ThreatSync+ SaaS for Google Workspace provides the Google Workspace Defense Goals Report to help you monitor user activity, unusual logins, and suspicious file sharing activity for your users.

For more information, go to ThreatSync+ SaaS Reports.

To add the default ThreatSync+ NDR reports, additional defense control reports, plus the ability to generate custom reports, we recommend you add a ThreatSync+ NDR license and a WatchGuard Compliance Reporting license. You can also purchase the Total NDR license that includes all ThreatSync+ licenses and includes Compliance Reporting. For more information about Total NDR, go to About Total NDR.

For more information, go to ThreatSync+ NDR Reports and About WatchGuard Compliance Reporting.

Add a ThreatSync+ Cloud Integration

To add a cloud integration, you use the ThreatSync+ Integrations UI in WatchGuard Cloud. To add a ThreatSync+ cloud integration, select Configure > ThreatSync+ Integrations.

Screenshot of a successful cloud integration added to ThreatSync+ that shows the Active status

For more information, go to Configure a ThreatSync+ Cloud Integration — Google Workspace.

ThreatSync+ UI

To configure and monitor ThreatSync+ SaaS, you use the ThreatSync+ UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com.

Available pages and features vary and depend on your license type. Throughout this documentation, ThreatSync+ refers generally to all products. If you do not see a page or feature in the ThreatSync+ UI, it is not supported by your product.

Monitor ThreatSync+ SaaS

To monitor your ThreatSync+ cloud integration, use these pages:

  • Network Summary — Provides an overview of trends in your network and includes links to detailed information about policy alerts, and user activity. For more information, go to About the ThreatSync+ Summary Page.
  • Policy Alerts — Shows alerts for policy violations on your network. For more information, go to About Policy Alerts.
  • Users — Shows details about user activity and threat detection.
  • ThreatSync+ Audit Logs — Shows details of configuration activity performed for ThreatSync+ SaaS policies, zones, users, IP addresses, and collector changes. For more information, go to ThreatSync+ Audit Logs.

Configure ThreatSync+ SaaS

To configure ThreatSync+ SaaS, select Configure > ThreatSync+.

You can use these pages to configure ThreatSync+ SaaS:

  • Compliance Reports — Manage your network defense goals and objectives for the Google Workspace Defense Goal Report. For more information, go to Manage Network Defense Goals and Google Workspace Defense Goal Report.
  • Policies — Manage default policies and add policies with custom policy definitions for your network. For more information, go to Configure ThreatSync+ Policies and ThreatSync+ SaaS Policies. There are eight Google Workspace policies:
    • Suspicious Rate of File Activity in Google Workspace
    • Suspicious Access Time in Google Workspace
    • Suspicious Access Location in Google Workspace
    • Possible Brute Force Account Access Attempt in Google Workspace
    • New Access Location in Google Workspace
    • New Access IP in Google Workspace
    • Internal Files Shared Externally in Google Workspace
    • Internal Files Made Public in Google Workspace
  • Zones — Manage zones in your network and create custom zones. For more information, go to Manage ThreatSync+ Zones.
  • Alerts — Specify which cloud collector alerts and policy alerts generate email notifications. For more information, go to Configure ThreatSync+ Alerts and Notification Rules.

Related Topics

Configure a ThreatSync+ Cloud Integration — Google Workspace

Configure ThreatSync+

Monitor ThreatSync+