Skip to main content
Sumo Logic

Configure Google Cloud Platform Collection for Google Workspace Alert Center

This page provides instructions on how to configure Google Cloud Platform collection for Google Workspace Alert Center.

Use this method of collection for Google Cloud Platform (GCP) environments.

Google Cloud Platform (GCP) collection 

This section provides instructions for configuring Google Workspace Alert Center collection in your Google Cloud Platform environment. The Google Workspace Alert Center collector function fetches the findings from Google Workspace and sends them to Sumo Logic.

To configure Google Workspace Alert Center collection in your GCP environment, do the following:

  1. Go to:

  2. Run the following command:

  1. Edit the bash script to configure following variables:

  • region: The Region where the Google function will be deployed. For example: "us-central1"
  • project_id: The project id of the project where the collector and all its resources will be deployed
  • delegated_email: The valid email address of one of your org's Google Workspace super admin users. 
  • Sumo_endpoint:  The Sumo Logic HTTP endpoint created in Step 1
  1. Run the following script:

  1.  In the command prompt, enter "N" for the following question "Allow unauthenticated invocations of new function"    as shown below.

Command Prompt.png

  1. Copy the Client ID displayed at the end of the script output. You will use the Client Name field when you configure Google Workspace Alert Center to allow client API access in the following task.

  2. Go to the Cloud Datastore page of the project, with the Project ID you configured in the previous steps of this procedure, and create a database instance with the Cloud Firestore in Datastore Mode option. For more information, refer to the Google Cloud Datastore documentation.


Configure Google Workspace Alert Center to allow client API access

This section explains how to configure Google Workspace Alert Center to allow API access. 

To configure Google Workspace Alert Center:

  1. Go to your G Suite domain's Admin console (see instructions on signing in to your Admin console), go to Security -> Access and data control -> API Controls**.


  1. In the newly opened window, click Manage Domain-wide Delegation at the bottom.


  1. Click Add new button on the top.


  1. Enter the Client ID for the service account copied in Step 2, then in the OAuth Scopes field enter the following:  


  1. Click Authorise.

Adding new Alert types

In the future, if Google adds a new alert type do the following to add new alert types:

  1. Go to the gsuitealertcenterfunc google cloud function console.

  2. Click Edit at the top and then click Next.


  1. In the editor, edit the gsuitealertcenter.yaml file and add the new alert types in ALERT_TYPES parameter from the “Alert type” column present in Google Workspace Alert types documentation


  1. Click Deploy.

Advanced configuration 

This section provides a list of environment variables for Google Workspace Alert Center and their usage. For information on how to set these environment variables, refer to this Google Cloud document.

Environment Variable  Usage

"Customer takeout initiated"

"Misconfigured whitelist "

"User reported phishing"

"User reported spam spike"

"Suspicious message reported"

"Phishing reclassification"

"Malware reclassification"

"Leaked password"

"Suspicious login"

"Suspicious login (less secure app)"

"Suspicious programmatic login"

"User suspended"

"User suspended (spam)"

"User suspended (spam through relay)"

"User suspended (suspicious activity)"

"Google Operations"

"Government attack warning"

"Device compromised"

"Suspicious activity"

BACKFILL_DAYS Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
PAGINATION_LIMIT Number of events to fetch in a single API call.
LOG_FORMAT Log format used by the python logging module to write logs in a file.
ENABLE_LOGFILE Set to TRUE to write all logs and errors to a log file.
ENABLE_CONSOLE_LOG Enables printing logs in a console.
LOG_FILEPATH Path of the log file used when ENABLE_LOGFILE is set to TRUE.
NUM_WORKERS Number of threads to spawn for API calls.
MAX_RETRY Number of retries to attempt in case of request failure.

A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.

TIMEOUT Request time out used by the requests library.
SUMO_ENDPOINT HTTP source endpoint url created in Sumo Logic.

Troubleshooting the Google Cloud Platform Function 

This section shows you how to troubleshoot the function and resolve errors you may have encountered.

To verify the function, do the following:

  1. Log in to your Google Cloud Platform account, navigate to the cloud function you created, and click Testing.
  2. Click the Test the function button.


  1. Click the View Logs button to view the function logs. If an environment variable was not set, you will see error messages similar to the following.


  1. Set the missing environment variable to resolve the issue.

To verify whether the cloud scheduler job is triggering the function:

  1. Enter Cloud Scheduler in the search bar and click. 


  1. Click View button under Logs column corresponding to the Cloud Scheduler job starting with sumogsuite as show below.


  1. In the newly opened window, you should be able to see logs with no errors seen under Severity. If there is an error, you can see more details by clicking on the Error section under Severity.