Skip to main content
Sumo Logic

Configure Collection for Google Workspace Alert Center

This page provides instructions for configuring log collection for Google Workspace Alert Center for use with the Sumo Logic App for Google Workspace.

This page explains how to collect logs from Google Workspace Alert Center and ingest them into Sumo Logic for use with the Google Workspace App predefined dashboards and searches. Click a link to jump to a topic:

Alert types

All the alerts are in JSON format. Most of the alerts have few common fields like alertId, customerId, createTime, source, type and data. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information about different alert types refer this Google Workspace Alert document.

Collection overview

Sumo Logic provides a serverless solution which pulls logs from Google Workspace with API calls. You can configure the list alerts to be collected, but by default all alerts are collected. The alerts  are then forwarded to Sumo Logic’s HTTP endpoint in JSON format. By default the collection starts from the current date and time, but this setting is also configurable as detailed in the Advanced configuration section.

GSuite_AlertCenter_Collection_Overview3.png

Add a Hosted Collector and HTTP Source

This section demonstrates how to add a hosted Sumo Logic collector and HTTP Logs and Metrics source, to collect alerts for Google Workspace Alert Center.

Prerequisite

Before creating the HTTP source, identify the Sumo Logic Hosted Collector you want to use, or create a new Hosted Collector as described in the following task.

To add a hosted collector and HTTP source, do the following:

  1. Create a new Sumo Logic Hosted Collector by performing the steps in Configure a Hosted Collector.
  2. Add an  HTTP Logs and Metrics Source.
  3. In the Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following information in the respective fields:
  • Format:
yyyy-MM-dd'T'HH:mm:ss.SSS'Z'
  • Timestamp locator:
\"createTime\":(.*),

GSuite_AlertCenter_HTTP-Source-dialog.png

  1. Click Test and paste in a test log line when prompted to do so.
  2. If the test is successful, click Save
  3. Make a note of the URL of the new source.

Configure collection for Google Workspace Alert Center 

In this section, we explore various mechanisms to collect findings from Google Workspace Alert Center and send them to Sumo Logic, where they are shown in dashboards as part of the Google Workspace App. You can configure a Google Workspace Alert Center collector in Google Cloud Platform (GCP), or via a script on a Linux machine. Choose the method that is best suited for you:

Sample Log Message

This section provides a sample Google Workspace Alert Center log message.

{
 "alertId": "2b49ec18-2f92-4d58-acca-45994b740848",
 "createTime": "TIMESTAMP",
 "customerId": "03gm7p8e",
 "data": {
   "@type": "type.googleapis.com/google.apps.alertcenter.type.DomainWideTakeoutInitiated",
   "takeoutRequestId": "unique9gfd87ss",
   "email": "john@alertcenter1.bigr.name"
 },
 "deleteTime": "TIMESTAMP",
 "endTime": "TIMESTAMP",
 "metadata": {
   "alertId": "2b49ec18-2f92-4d58-acca-45994b740848",
   "customerId": "03gm7p8e",
   "status": "NOT_STARTED",
   "updateTime": "TIMESTAMP"
 },
 "source": "Domain wide takeout",
 "startTime": "TIMESTAMP",
 "type": "Customer takeout initiated"
}

Query Sample

The query sample provided in this section is from the Google Workspace Activity by Users with Compromised Credentials panel of the Google Workspace - Alert Center - Investigations Dashboard.

_sourceCategory=googleworkspace_google_apps
| json "actor", "events", "id" nodrop
| json field=actor "email"
| json field=id "applicationName"
| where [subquery:_sourceCategory=googleworkspace_alerts "Leaked password"
 | json "alertId","customerId","source","type","data", "data.email" as alert_id, customer_id, source, type, data, email
 | where type="Leaked password"  
 | count by email
 | compose email  
]
| parse regex field=events "\"name\":\"(?<event_name>[^\"]+)\",\"type\":\"(?<event_type>[^\"]+)\"" multi
| formatDate(_messageTime,"MM-dd-yyyy HH:mm:ss:SSS") as event_time
| count by event_time, event_name, event_type, email, applicationName
| fields -_count
| sort by event_time