Wazuh + Google Workspace shouldn’t be hard!
Problem
Everybody that has Wazuh as SIEM and Google as default identity provider maybe had this problem: “How do I make these two work together”? Ok, ok… you can say that:
“we don’t need to integrate gws (Google Workspace, for now) because it has a security center with dashboards, DLP warnings, and etcetera, etcetera.”
And I agree with you, indeed maybe it is not necessary to do this.
BUT IF you need to make a report every week/month that includes your infrastructure? There is NO TOOL better to do this with Wazuh.
BUT IF you want to make specific visualizations about your data? There is NO TOOL better to do this than Wazuh.
But there is a problem, since 2021 (the oldest one I could find), there is no integration between them by default.
- Integration of Google Workspace wodle · Issue #25953
- Google Workspace/Google Suite integration · Issue #10776
Solution
Solution? Thank god yes. avanwouwe has been updating a wodle that integrates all Google Workspace audit events (including Drive, Groups, Calendar, SAML and Admin). And I’ll bring here how to install it in case you installed Wazuh in an EC2 by Bare Metal, instead of a multi-node deployment or docker.
If you used docker (e.g. ECS, EKS, …, etc), I recommend you to use the official documentation.
Let’s do it
There is some pre-requisites before doin’ this:
- Wazuh Manager installed and running (
systemctl status wazuh-manager) - GCP service account with Google Workspace Admin SDK access
- Domain-wide delegation configured for the service account
The wodle requires the google-api-python-client library. Install it using Wazuh’s embedded Python:
sudo /var/ossec/framework/python/bin/pip3 install google-api-python-client
Verify the installation:
/var/ossec/framework/python/bin/python3 -c "import googleapiclient; print('OK')"
Install the wodle
Clone the repository and copy the wodle files:
cd /tmp
git clone https://github.com/avanwouwe/wazuh-gworkspace.git
sudo cp -r /tmp/wazuh-gworkspace/wodle /var/ossec/wodles/gworkspace
sudo chown -R wazuh:wazuh /var/ossec/wodles/gworkspace
sudo chmod +x /var/ossec/wodles/gworkspace/gworkspace
configure the Wodle
Create the service account key file:
sudo nano /var/ossec/wodles/gworkspace/service_account_key.json
# paste your GCP svc json key
Create the configuration file:
sudo tee /var/ossec/wodles/gworkspace/config.json << EOF
{
"service_account": "<E-MAIL OF YOUR GOOGLE WORKSPACE SERVICE ACCOUNT>"
}
EOF
permissionn
sudo chown wazuh:wazuh /var/ossec/wodles/gworkspace/service_account_key.json
sudo chown wazuh:wazuh /var/ossec/wodles/gworkspace/config.json
sudo chmod 600 /var/ossec/wodles/gworkspace/service_account_key.json
sudo chmod 600 /var/ossec/wodles/gworkspace/config.json
Test and apply the rules
sudo -u wazuh /var/ossec/wodles/gworkspace/gworkspace -a admin --unread
You should see JSON-formatted log events if everything is configured correctly. After that, copy the rules file to Wazuh’s rules directory:
# you can also use `cp` in the cloned repo
sudo curl -o /var/ossec/etc/rules/0685-gworkspace_rules.xml \
https://raw.githubusercontent.com/avanwouwe/wazuh-gworkspace/main/rules/0685-gworkspace_rules.xml
# set proper ownership
sudo chown wazuh:wazuh /var/ossec/etc/rules/0685-gworkspace_rules.xml
Configure ossec.conf
Add the wodle configuration to /var/ossec/etc/ossec.conf. Insert this block within the <ossec_config> section:
<wodle name="command">
<disabled>no</disabled>
<tag>gworkspace</tag>
<command>/var/ossec/wodles/gworkspace/gworkspace -a all -o 2</command>
<interval>10m</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
Ask gently for systemd to restart your proccess
sudo /var/ossec/bin/wazuh-control configtest
sudo systemctl restart wazuh-manager
sudo systemctl status wazuh-manager
Be happy! After a few minutes, you should see the logs, go to discover and filter by rule.roups