Skip to main content
Sumo Logic

Configure Google Cloud Platform collection for G Suite Alert Center

This page provides instructions on how to configure Google Cloud Platform collection for G Suite Alert Center.

Use this method of collection for Google Cloud Platform (GCP) environments.

Google Cloud Platform (GCP) collection 

This section provides instructions for configuring G Suite Alert Center collection in your Google Cloud Platform environment. The G suite Alert Center collector function fetches the findings from G Suite and sends them to Sumo Logic.

To configure G Suite Alert Center collection in your GCP environment, do the following:

  1. Go to: https://console.cloud.google.com/cloudshell/

  2. Run the following command:

wget https://s3.amazonaws.com/appdev-cloudformation-templates/sumo_gsuite_alerts_collector_deploy.sh
  1. Edit the sumo_gsuite_alerts_collector_deploy.sh bash script to configure following variables:

  • region:   The Region where the Google function will be deployed. For example: "us-central1"
  • project_id: The project id of the project where the collector and all its resources will be deployed
  • delegated_email: The valid email address for the G Suite user with Super Admin access permission
  • Sumo_endpoint:  The Sumo Logic HTTP endpoint created in Step 1
  1. Run the following script:

sh sumo_gsuite_alerts_collector_deploy.sh
  1. Copy the Client ID displayed at the end of the script output. You will use in the Client Name field when you configure G Suite Alert Center to allow client API access in the following task.

  2. Go to the Cloud Datastore page of the project, with the Project ID you configured in the previous steps of this procedure, and create a database instance with the Cloud Firestore in Datastore Mode option. For more information, refer to the Google Cloud Datastore documentation.

GSuite_AlertCenter_DatastoreMode.png

Configure G Suite Alert Center to allow client API access

This section explains how to configure G Suite Alert Center to allow API access. 

To configure GSuite Alert Center:

  1. Go to your G Suite domain’s Admin console (see instructions on signing in to your Admin console), click Security, and select Settings.

GCP_Security-Settings.png

  1. Go to Advanced Settings and click Manage API client access.

GCP_Manage-API-Client-Access.png

  1. In the Client Name field enter the Client ID for the service account copied in Step 2, then in the One or More API Scopes field enter the following: https://www.googleapis.com/auth/apps.alerts  

GCP_Manage-API-client-access-dialog.png

  1. Click Authorize.

Advanced configuration 

This section provides a list of environment variables for G Suite Alert Center and their usage. For information on how to set these environment variables, refer to this Google Cloud document.

Environment Variable  Usage
ALERT_TYPES

"Customer takeout initiated"

"Misconfigured whitelist "

"User reported phishing"

"User reported spam spike"

"Suspicious message reported"

"Phishing reclassification"

"Malware reclassification"

"Leaked password"

"Suspicious login"

"Suspicious login (less secure app)"

"Suspicious programmatic login"

"User suspended"

"User suspended (spam)"

"User suspended (spam through relay)"

"User suspended (suspicious activity)"

"Google Operations"

"Government attack warning"

"Device compromised"

"Suspicious activity"

BACKFILL_DAYS Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
PAGINATION_LIMIT Number of events to fetch in a single API call.
LOG_FORMAT Log format used by the python logging module to write logs in a file.
ENABLE_LOGFILE Set to TRUE to write all logs and errors to a log file.
ENABLE_CONSOLE_LOG Enables printing logs in a console.
LOG_FILEPATH Path of the log file used when ENABLE_LOGFILE is set to TRUE.
NUM_WORKERS Number of threads to spawn for API calls.
MAX_RETRY Number of retries to attempt in case of request failure.
BACKOFF_FACTOR

A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.

TIMEOUT Request time out used by the requests library.
SUMO_ENDPOINT HTTP source endpoint url created in Sumo Logic.

Troubleshooting the Google Cloud Platform Function 

This section shows you how to troubleshoot the function and resolve errors you may have encountered.

To verify the function, do the following:

  1. Log in to your Google Cloud Platform account, navigate to the cloud function you created, and click Testing.
  2. Click the Test the function button.

GSuite_Troubleshooting_TestFunction.png

  1. Click the View Logs button to view the function logs. If an environment variable was not set, you will see error messages similar to the following.

GSuite_Troubleshooting_ErrorLogs.png

  1. Set the missing environment variable to resolve the issue.