Skip to main content
Sumo Logic

Google Apps

Google Apps
Details on the Sumo Logic App for Google App.

The Sumo Logic App for Google Apps allows you to monitor and analyze all of your Google Apps activity in one place, including login and administrative events. It supports Google Apps including Admin, Drive, Login, and Token with pre-configured Dashboards and searches.

Log Types

Each Google App has its own log that traction actions in JSON format. The logs are all structurally similar. The differences are in the events section of the JSON where the actions are recorded.

The common areas of the logs are the following:

Event Description

Id

Contains applicationName (for example, drive or admin).

Actor

Contains email, which is the Google email address of the person performing the action.

ipAddress

The IP address of the user performing the action.

The events sections of logs are as follows:

Google Login App

Event Description

Login type name

Equivalent of status or type of activity: login_success, logout, or login_failure. In the Login Dashboard, we also have a Panel showing login_failure_type, which displays a reason for the login failure.

login_challenge

Records action related to a Login Challenge for suspicious sign ins. Specific results are logged in the login_challenge_status, where the possible values are Challenge Failed or Challenge Passed. For more information on login_challenge, refer to Google documentation:

https://support.google.com/a/answer/6002699?hl=en

Google Admin and Token Apps

These are actions performed by Google site administrators.

Event Description

USER_SETTINGS

These are actions performed at the individual user level, such as CREATE_USER, DELETE_USER, CHANGE_PASSWORD.

A specific type of individual user action is CREATE_DATA_TRANSFER_REQUEST. This typically occurs after a user has been deleted, and the user’s contents, such as Drive, are transferred to that user’s manager.

GROUP_SETTINGS

These are actions such as adding and removing users from groups.

Other

Other types of actions take place, but they are less common (for example, CHROME_OS_SETTINGS,   DEVICE_SETTINGS).

Google Drive App

The Google Drive app logs come in two types: Access and acl_change. A single user action in Drive may generate several events. Of these, one is the primary event and the rest are side effects of that event. We look for the primary event.

Access types are such as viewing and downloading a document or folder. They also include creating, uploading, renaming, editing, and moving content.

Acl_change types include who can edit a document or folder, including scope changes like what you do here:


For document type (doc_type), Google only recognizes its own documents (for example, Document, Spreadsheet, and Presentation). Other document types (such as Excel, PDF, and MP4) are classified as unknown. In a Drive Dashboard Panel, we capture the Google types, and then use the file extension to classify the other types that would otherwise be displayed as unknown.