Skip to main content
Sumo Logic

Configure Google Cloud Platform collection for G Suite Alert Center

This page provides instructions on how to configure Google Cloud Platform collection for G Suite Alert Center.

Use this method of collection for Google Cloud Platform (GCP) environments.

Google Cloud Platform (GCP) collection 

This section provides instructions for configuring G Suite Alert Center collection in your Google Cloud Platform environment. The G suite Alert Center collector function fetches the findings from G Suite and sends them to Sumo Logic.

To configure G Suite Alert Center collection in your GCP environment, do the following:

  1. Go to: https://console.cloud.google.com/cloudshell/

  2. Run the following command:

wget https://s3.amazonaws.com/appdev-cloudformation-templates/sumo_gsuite_alerts_collector_deploy.sh
  1. Edit the sumo_gsuite_alerts_collector_deploy.sh bash script to configure following variables:

  • region:   The Region where the Google function will be deployed. For example: "us-central1"
  • project_id: The project id of the project where the collector and all its resources will be deployed
  • delegated_email: The valid email address for the G Suite user with Super Admin access permission
  • Sumo_endpoint:  The Sumo Logic HTTP endpoint created in Step 1
  1. Run the following script:

sh sumo_gsuite_alerts_collector_deploy.sh
  1.  In the command prompt, enter "N" for the following question "Allow unauthenticated invocations of new function"    as shown below.

Command Prompt.png

  1. Copy the Client ID displayed at the end of the script output. You will use in the Client Name field when you configure G Suite Alert Center to allow client API access in the following task.

  2. Go to the Cloud Datastore page of the project, with the Project ID you configured in the previous steps of this procedure, and create a database instance with the Cloud Firestore in Datastore Mode option. For more information, refer to the Google Cloud Datastore documentation.

GSuite_AlertCenter_DatastoreMode.png

Configure G Suite Alert Center to allow client API access

This section explains how to configure G Suite Alert Center to allow API access. 

To configure GSuite Alert Center:

  1. Go to your G Suite domain’s Admin console (see instructions on signing in to your Admin console), click Security, and select Settings.

GCP_Security-Settings.png

  1. Scroll down and click the App access control section. 

GSuite_Step2.png

  1. In the newly opened window, click Manage Domain-wide Delegation at the bottom.

GSuite_Step3.png

  1. Click Add new button on the top.

GSuite_Step4.png

  1. Enter the Client ID for the service account copied in Step 2, then in the OAuth Scopes field enter the following: https://www.googleapis.com/auth/apps.alerts  

GSuite_Step5.png

  1. Click Authorise.

Adding new Alert types

In future, if Google adds a new alert type do the following to add new alert types:

  1. Go to the gsuitealertcenterfunc google cloud function console.

  2. Click Edit at the top and then click Next.

Alert_Type_Step2.png

  1. In the editor, edit the gsuitealertcenter.yaml file and add the new alert types in ALERT_TYPES parameter from the “Alert type” column present in G Suite Alert types documentation

Alert_Type_Step3.png

  1. Click Deploy.

Advanced configuration 

This section provides a list of environment variables for G Suite Alert Center and their usage. For information on how to set these environment variables, refer to this Google Cloud document.

Environment Variable  Usage
ALERT_TYPES

"Customer takeout initiated"

"Misconfigured whitelist "

"User reported phishing"

"User reported spam spike"

"Suspicious message reported"

"Phishing reclassification"

"Malware reclassification"

"Leaked password"

"Suspicious login"

"Suspicious login (less secure app)"

"Suspicious programmatic login"

"User suspended"

"User suspended (spam)"

"User suspended (spam through relay)"

"User suspended (suspicious activity)"

"Google Operations"

"Government attack warning"

"Device compromised"

"Suspicious activity"

BACKFILL_DAYS Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
PAGINATION_LIMIT Number of events to fetch in a single API call.
LOG_FORMAT Log format used by the python logging module to write logs in a file.
ENABLE_LOGFILE Set to TRUE to write all logs and errors to a log file.
ENABLE_CONSOLE_LOG Enables printing logs in a console.
LOG_FILEPATH Path of the log file used when ENABLE_LOGFILE is set to TRUE.
NUM_WORKERS Number of threads to spawn for API calls.
MAX_RETRY Number of retries to attempt in case of request failure.
BACKOFF_FACTOR

A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.

TIMEOUT Request time out used by the requests library.
SUMO_ENDPOINT HTTP source endpoint url created in Sumo Logic.

Troubleshooting the Google Cloud Platform Function 

This section shows you how to troubleshoot the function and resolve errors you may have encountered.

To verify the function, do the following:

  1. Log in to your Google Cloud Platform account, navigate to the cloud function you created, and click Testing.
  2. Click the Test the function button.

GSuite_Troubleshooting_TestFunction.png

  1. Click the View Logs button to view the function logs. If an environment variable was not set, you will see error messages similar to the following.

GSuite_Troubleshooting_ErrorLogs.png

  1. Set the missing environment variable to resolve the issue.

To verify whether the cloud scheduler job is triggering the function:

  1. Enter Cloud Scheduler in the search bar and click. 

Cloud_Scheduler_1.png

  1. Click View button under Logs column corresponding to the Cloud Scheduler job starting with sumogsuite as show below.

Cloud_Scheduler_2.png

  1. In the newly opened window, you should be able to see logs with no errors seen under Severity. If there is an error, you can see more details by clicking on the Error section under Severity.

Cloud_Scheduler_3.png