Set up Google Workspace for Incident Response

This article provides the steps to protect Google email with Incident Response.

All four steps of this process must be completed to protect Google email.

1. Sign in to Incident Response to get started. If you do not already have an account, you can create one here. 

2. Select Google when asked to connect to an email provider. 

3. Sign in to your Google Workspace account as a Super Admin. 

4. Click Allow when asked to grant access to Barracuda Networks. 

5. After Barracuda Networks verifies your Super Admin account, you will be taken to Step 2. 

Google Workspace must have the correct privileges to use Incident Response. Follow the steps below to configure privileges.

1. Sign in to the Google Workspace Admin Console.
   (Note: Super Administrator permissions are required.)

2. Navigate to Security > Access and data control > API controls.
   
   

   Open

   

    

3. Click MANAGE DOMAIN WIDE DELEGATION.

4. Select Add new.

5. Enter the following into the Client ID field: 116785958912330628458
   
   

   Open

   

    

6. Add the following OAuth scopes:
   https://www.googleapis.com/auth/userinfo.profile,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/gmail.modify,
https://www.googleapis.com/auth/admin.reports.audit.readonly,
https://www.googleapis.com/auth/apps.licensing,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly

7. Click Authorize.

8. The Workspace privileges are now configured. Return to Incident Response and click Verify.
   Note: It may take time for privileges to propagate; you may need to wait and try again.  
   
   

   Open

   

    

9. After privileges have been verified, the Next button at top-right of your screen to go to Step 3. 

Incident Response looks for specific headers in Google email. Follow the steps below to configure these headers.

1. Continue or sign in to the Google Workspace Admin Console.

2. Navigate to Apps > Google Workspace > Gmail > Routing.
   
   

   Open

   

    

3. Under the Routing table, click the ADD ANOTHER RULE link.

4. The Add setting dialog opens. This is the first of three rules to be added.

   1. Enter a name for the rule in the top field. Example: Routing Inbound

   2. Under Email messages to affect, select the Inbound option.

   3. Under Modify message > Headers, select the Add custom headers option.

   4. In the Custom headers box, click Add.
      
      

      Open

      

       

   5. For Header key, enter Gm-EP-Direction-Inbound

   6. For Header value, enter 1.
      
      

      Open

      

       

   7. Click SAVE. The rule setting should look like this:
      
      

      Open

      

       

   8. Click SAVE at the bottom. The rule should appear in the Routing table.

5. Add a second rule by doing the following:

   1. Give the rule a name. Example: Routing Outbound

   2. Under Email messages to affect, select the Outbound option. 

   3. Under Modify message > Headers, select the Add custom headers option. 

   4. In the Custom headers box, click Add. 

   5. For Header key, enter Gm-EP-Direction-Outbound 

   6. For Header value, enter 1. 

   7. The rule setting should look like this:
      
      

      Open

      

       

   8. Click SAVE at the bottom. The rule should appear in the Routing table.

6. Add a third rule by doing the following:

   1. Give the rule a name. Example: Sending and Receiving 

   2. Under Email messages to affect, select both the Internal - Sending and Internal – Receiving options. 

   3. Under Modify message > Headers, select the Add custom headers option. 

   4. In the Custom headers box, click Add. 

   5. For Header key, enter Gm-EP-Direction-Internal 

   6. For Header value, enter 1. 

   7. The rule setting should look like this:  
      
      

      Open

      

       

   8. Click SAVE at the bottom. The rule should appear in the Routing table.

7. Return to Incident Response.

8. Barracuda will send emails to ensure that the headers have been set up correctly. As in the example shown in the image below, an email will be sent from your Google admin account to a Barracuda email address. Another email will be sent from Barracuda to your Google admin account.
   
   

   Open

   

    

9. In the empty field shown above, add an email address that is internal to your mailbox. (i.e. user@yourdomain.com)
   As you start to type, the field should pre-populate with internal email addresses.

10. Click the Send emails button. The green Emails sent chip will display once all messages are away.
    It typically takes a minute or two for Barracuda to receive and inspect the emails.

11. Click the Verify button to ensure all headers have been added correctly.
    
    

    Open

    

12. If the headers are correct, the green Verified chip will display.
    If there is a problem, an error will be displayed. Wait a few minutes to see if the emails are received by Barracuda and the error goes away. If the error message persists, try again by clicking Resend emails and then waiting several minutes before clicking the Verify button. If that is still unsuccessful, return to the beginning of this step (Step 3).

13. Once the Google email header configuration is verified, click the Next button at top-right of your screen.

Barracuda will take anywhere from several hours to several days (depending on the size of your account) to fully learn about your environment. After the initial learning phase is finished, you will receive an email notifying you that Impersonation Protection is now available.