Configure Collection for G Suite Alert Center
This page explains how to collect logs from G Suite Alert Center and ingest them into Sumo Logic for use with the G Suite App predefined dashboards and searches. Click a link to jump to a topic:
- Alert types
- Collection overview
- Step 1: Add a Hosted Collector and HTTP Source
- Step 2: Configure collection for G Suite Alert Center
- Sample Log Message
- Query Sample
Alert types
All the alerts are in JSON format. Most of the alerts have few common fields like alertId, customerId, createTime, source, type and data. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information about different alert types refer this G Suite Alert document.
Collection overview
Sumo Logic provides a serverless solution which pulls logs from G Suite with API calls. You can configure the list alerts to be collected, but by default all alerts are collected. The alerts are then forwarded to Sumo Logic’s HTTP endpoint in JSON format. By default the collection starts from the current date and time, but this setting is also configurable as detailed in the Advanced configuration section.
Step 1: Add a Hosted Collector and HTTP Source
This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect alerts for G Suite Alert Center.
Prerequisite
Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.
To add a hosted collector and HTTP source, do the following:
- Create a new Sumo Logic Hosted Collector by performing the steps in Configure a Hosted Collector.
- Add an HTTP Logs and Metrics Source.
- In the Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following information in the respective fields:
- Format:
yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
- Timestamp locator:
\"createTime\":(.*),
- Click Add.
Step 2: Configure collection for G Suite Alert Center
In this section, we explore various mechanisms to collect findings from G Suite Alert Center and send them to Sumo Logic, where they are shown in dashboards as part of the G Suite App. You can configure a G Suite Alert Center collector in Google Cloud Platform (GCP), or via a script on a Linux machine. Choose the method that is best suited for you:
Sample Log Message
This section provides a sample G Suite Alert Center log message.
{ "alertId": "2b49ec18-2f92-4d58-acca-45994b740848", "createTime": "TIMESTAMP", "customerId": "03gm7p8e", "data": { "@type": "type.googleapis.com/google.apps.alertcenter.type.DomainWideTakeoutInitiated", "takeoutRequestId": "unique9gfd87ss", "email": "john@alertcenter1.bigr.name" }, "deleteTime": "TIMESTAMP", "endTime": "TIMESTAMP", "metadata": { "alertId": "2b49ec18-2f92-4d58-acca-45994b740848", "customerId": "03gm7p8e", "status": "NOT_STARTED", "updateTime": "TIMESTAMP" }, "source": "Domain wide takeout", "startTime": "TIMESTAMP", "type": "Customer takeout initiated" }
Query Sample
The query sample provided in this section is from the G Suite Activity by Users with Compromised Credentials panel of the G Suite - Alert Center - Investigations Dashboard.
_sourceCategory=gsuite_google_apps | json "actor", "events", "id" nodrop | json field=actor "email" | json field=id "applicationName" | where [subquery:_sourceCategory=gsuite_alerts "Leaked password" | json "alertId","customerId","source","type","data", "data.email" as alert_id, customer_id, source, type, data, email | where type="Leaked password" | count by email | compose email ] | parse regex field=events "\"name\":\"(?<event_name>[^\"]+)\",\"type\":\"(?<event_type>[^\"]+)\"" multi | formatDate(_messageTime,"MM-dd-yyyy HH:mm:ss:SSS") as event_time | count by event_time, event_name, event_type, email, applicationName | fields -_count | sort by event_time