Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=google-workspace

Integrate Google Workspace

API Productivity

You can integrate Google Workspace with Sophos Central so that the service sends alerts to Sophos for analysis. For a list of alerts you can receive from Google Workspace, see View alert details.

You must be a super administrator in your Google Workspace account to do the integration.

The key steps are as follows:

  • Enable the Google Workspace Alert Center API.
  • Create a service account and key.
  • Enable domain-wide delegation and OAuth scope.
  • Assign a delegated user's email address.
  • Configure a Google Workspace integration in Sophos Central.

Enable the Google Workspace Alert Center API

  1. Go to the Google Cloud console and select your project.

  2. In your project, enable the Google Workspace Alert Center API as the Alert API.

    To find this setting, search for "Google Workspace Alert Center API" in the search bar and click Enable.

    Alert API.

You're redirected to the APIs & Services page. Next, you create a service account and key.

Create a service account and key

To create a service account and key, do as follows:

  1. On the APIs & Services page, select Credentials on the left.

    API & Services menu.

  2. Click Create Credentials and select Service Account.

  3. In the Service account details, provide a Service account ID to identify the account, and click Create and Continue. Click Done to create the account.

    Service account details.

  4. To create JSON details for the service account, you must create a key. Click the service account ID you created previously and go to the Keys tab.

    Service account Keys tab.

  5. Click Add key and select Create new key.

  6. In the pop-up dialog, select JSON and click Create.

    Select key type.

JSON details for the service account are automatically downloaded to your computer. Keep them safe and secure.

Enable domain-wide delegation

You must get your Client ID and authorize domain-wide delegation to your service account. This includes adding the OAuth scope to the account.

Follow the steps below or see the latest Google instructions in Set up domain-wide delegation for a service account.

To set up domain-wide delegation of authority for a service account, do as follows:

  1. In the Google Cloud console, go to Menu > IAM & Admin > Service Accounts.
  2. Select your service account.
  3. Click Show advanced settings.
  4. Under Domain-wide delegation, find your service account's Client ID. Click Copy to copy the client ID value to your clipboard.

  5. If you have super administrator access to the relevant Google Workspace account, click View Google Workspace Admin Console, then sign in with a super administrator user account. Continue to the next step.

    If you don't have super administrator access, contact a super administrator for that account and send them your service account's Client ID and list of OAuth Scopes so they can complete the remaining steps. When they finish, you can add the integration in Sophos Central. See Configure an integration.

  6. In the Google Admin console, go to Menu > Security > Access and data control > API controls.

  7. Click Manage Domain-Wide Delegation.

  8. Click Add new and do as follows:

    1. In the Client ID field, paste the client ID you copied previously.
    2. In the OAuth Scopes field, enter https://www.googleapis.com/auth/apps.alerts.
    3. Click Authorize.

Next, assign the email address of the user that you want to delegate for API calls.

Assign a delegated user's email address

Add the email address of a Super Admin user that you want to delegate for API calls. This should be the admin email address for the domain.

To assign the address, do as follows:

  1. Sign in to admin.google.com.
  2. Go to Directory > Users.

  3. Click Add new user and create a user with the Super Admin role.

    Alternatively, click an existing user, click Admin roles and privileges, hover over Roles, click the Edit icon on the upper right, and assign the user the Super Admin role.

  4. Make a note of the delegate Super Admin's email. You'll need it later.

Next, you configure an integration in Sophos Central.

Configure an integration

To integrate Google Workspace with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Google Workspace.

    The Google Workspace page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details

  4. In Integration steps, you configure an API to collect data from Google Workspace.

    1. Enter a name and a description for the integration.

    2. In Client E-mail, enter the email address from the client_email field in the JSON file you downloaded.

      This email address ends with gserviceaccount.com. Don't enclose it in quotation marks.

    3. In User E-mail, enter the same email address you used for delegated user email (the admin email address for the domain).

    4. In Private Key, enter the key from the private_key field in the JSON file you downloaded.

      Enter everything, including the lines ---------BEGIN PRIVATE KEY----- and -----END PRIVATE KEY--. Don't enclose it in quotation marks.

  5. Click Save.

We create the integration and it appears in your list. If its status icon shows a green tick, your data should appear in the Sophos Data Lake after validation.