Skip to main content
Sumo Logic

Configure Collection for G Suite Alert Center

This page provides instructions for configuring log collection for G Suite Alert Center for use with the Sumo Logic App for G Suite.

This page explains how to collect logs from G Suite Alert Center and ingest them into Sumo Logic for use with the G Suite App predefined dashboards and searches. Click a link to jump to a topic:

Alert types

All the alerts are in JSON format. Most of the alerts have few common fields like alertId, customerId, createTime, source, type and data. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information about different alert types refer this G Suite Alert document.

Collection overview

Sumo Logic provides a serverless solution which pulls logs from G Suite with API calls. You can configure the list alerts to be collected, but by default all alerts are collected. The alerts  are then forwarded to Sumo Logic’s HTTP endpoint in JSON format. By default the collection starts from the current date and time, but this setting is also configurable as detailed in the Advanced configuration section.

GSuite_AlertCenter_Collection_Overview3.png

Step 1: Add a Hosted Collector and HTTP Source

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect alerts for G Suite Alert Center.

Prerequisite

Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

  1. Create a new Sumo Logic Hosted Collector by performing the steps in Configure a Hosted Collector.
  2. Add an  HTTP Logs and Metrics Source.
  3. In the Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following information in the respective fields:
  • Format:
yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
  • Timestamp locator:
\"createTime\":(.*),

GSuite_AlertCenter_HTTP-Source-dialog.png

  1. Click Add.

Step 2: Configure collection for G Suite Alert Center 

In this section, we explore various mechanisms to collect findings from G Suite Alert Center and send them to Sumo Logic, where they are shown in dashboards as part of the G Suite App. You can configure a G Suite Alert Center collector in Google Cloud Platform (GCP), or via a script on a Linux machine. Choose the method that is best suited for you:

Sample Log Message

This section provides a sample G Suite Alert Center log message.

{
 "alertId": "2b49ec18-2f92-4d58-acca-45994b740848",
 "createTime": "TIMESTAMP",
 "customerId": "03gm7p8e",
 "data": {
   "@type": "type.googleapis.com/google.apps.alertcenter.type.DomainWideTakeoutInitiated",
   "takeoutRequestId": "unique9gfd87ss",
   "email": "john@alertcenter1.bigr.name"
 },
 "deleteTime": "TIMESTAMP",
 "endTime": "TIMESTAMP",
 "metadata": {
   "alertId": "2b49ec18-2f92-4d58-acca-45994b740848",
   "customerId": "03gm7p8e",
   "status": "NOT_STARTED",
   "updateTime": "TIMESTAMP"
 },
 "source": "Domain wide takeout",
 "startTime": "TIMESTAMP",
 "type": "Customer takeout initiated"
}

Query Sample

The query sample provided in this section is from the G Suite Activity by Users with Compromised Credentials panel of the G Suite - Alert Center - Investigations Dashboard.

_sourceCategory=gsuite_google_apps
| json "actor", "events", "id" nodrop
| json field=actor "email"
| json field=id "applicationName"
| where [subquery:_sourceCategory=gsuite_alerts "Leaked password"
 | json "alertId","customerId","source","type","data", "data.email" as alert_id, customer_id, source, type, data, email
 | where type="Leaked password"  
 | count by email
 | compose email  
]
| parse regex field=events "\"name\":\"(?<event_name>[^\"]+)\",\"type\":\"(?<event_type>[^\"]+)\"" multi
| formatDate(_messageTime,"MM-dd-yyyy HH:mm:ss:SSS") as event_time
| count by event_time, event_name, event_type, email, applicationName
| fields -_count
| sort by event_time