Google Workspace Apps Audit - Cloud SIEM
Step 1: Configure collection
In this step, you configure an Google Workspace Apps Audit Source to collect Google Workspace log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure Google Workspace Apps Audit Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the Google Workspace Apps Audit Source on the collector.
Configure a Hosted Collector
- To create a new hosted collector, see Configure a Hosted Collector.
- Fields.
- If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to CSE. - If all sources in this collector will be Google Workspace Audit sources, add an additional field with key
_parser
and value /Parsers/System/Google/Google Workspace Audit.noteIt’s also possible to configure individual sources to forward to CSE, as described in the following section.
- If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is
Configure Google Workspace Apps Audit Source
- To configure Google Workspace source, see Configure a Google Workspace Apps Audit Source.
- Fields.
- If you have not configured the Hosted Collector to forward all sources in the collector to CSE, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. - If you are not parsing all sources in the hosted collector with the same parser, +Add Field named
_parser
with value /Parsers/System/Google/Google Workspace Audit.
- If you have not configured the Hosted Collector to forward all sources in the collector to CSE, click the +Add Field link, and add a field whose name is
- Sign in with Google. Click to give permission to Sumo Logic to set up watchpoints using the Google Workspace Apps Reports API. Click Accept.
- Click Save.
Step 2: Verify ingestion
In this step, you verify that your logs are successfully making it into CSE.
- Click the gear icon, and select Log Mappings under Incoming Data.
- On the Log Mappings page search for "Google Workspace" and check under Record Volume.
- For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.