Google Cloud Armor helps you protect your Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi). For more details, refer to the GCP documentation
You can collect the logs for Sumo Logic's Google Cloud Armor integration by following the below steps.
Configure logs collection
Collect Audit Logs using the Google Cloud Platform source. These Audit Logs can be accessed based on the permissions and roles. To enable logging for Google Armor, refer to Google documentation. For more detail on Cloud Armor operations being audited, refer to audited operations. While creating the sync in GCP, as part of the Choose logs to include in sink section, you can use the following query:
(resource.type=(backendServices OR securityPolicies) resource.labels.service=compute.googleapis.com)
Collect Platform Logs using the Google Cloud Platform source. Google Cloud Armor logs are part of the Cloud Load Balancing logs. To enable these logs, follow the instruction here. For collecting request logs, copy the query from log explorer which you get after following these steps and while creating the sync in GCP, as part of the Choose logs to include in sink section, you can use the same query.