Google Workspace Apps Audit - Cloud SIEM
Step 1: Configure collection
In this step, you configure an Google Workspace Apps Audit Source to collect Google Workspace log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure Google Workspace Apps Audit Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the Google Workspace Apps Audit Source on the collector.
Configure a Hosted Collector
- To create a new hosted collector, see Configure a Hosted Collector.
- Fields.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. - If all sources in this collector will be Google Workspace Audit sources, add an additional field with key
_parser
and value /Parsers/System/Google/G Suite Audit.
noteIt’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
Configure Google Workspace Apps Audit Source
- To configure Google Workspace source, see Configure a Google Workspace Apps Audit Source.
- Fields.
- If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. - If you are not parsing all sources in the hosted collector with the same parser, +Add Field named
_parser
with value /Parsers/System/Google/G Suite Audit.
- If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
- Sign in with Google. Click to give permission to Sumo Logic to set up watchpoints using the Google Workspace Apps Reports API. Click Accept.
- Click Save.
Step 2: Verify ingestion
In this step, you verify that your logs are successfully making it into Cloud SIEM.
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings tab search for "Google Workspace" and check the Records columns.
- For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.