Skip to main content

Google Workspace

thumbnail icon

The Google Workspace App allows you to monitor and analyze activities across all Google Workspace applications from a single location. Comprehensive dashboards display information on administrative and user activities, Google Drive usage, and logins.

Dashboards also provide full visibility into alerts from Google Workspace Alert Center, allowing you to investigate and correlate alerts and monitor potential threats across all Google Workspace apps.

Log and Alert Types

Each Google Workspace app has its own log that tracks actions in JSON format. The logs are all structurally similar. The differences are in the events section of the JSON where the actions are recorded.

The common areas of the logs are:

EventDescription
IdContains applicationName (for example, drive or admin).
ActorContains email, which is the Google email address of the person performing the action.
ipAddressThe IP address of the user performing the action.

The events sections of logs are:

Apps

Google Workspace Login App

EventDescription
Login type nameEquivalent of status or type of activity: login_success, logout, or login_failure. In the Login Dashboard, we also have a Panel showing login_failure_type, which displays a reason for the login failure.
login_challengeRecords action related to a Login Challenge for suspicious sign ins. Specific results are logged in the login_challenge_status, where the possible values are Challenge Failed or Challenge Passed. For more information on login_challenge, refer to Google documentation:

https://support.google.com/a/answer/6002699?hl=en

Google Workspace Admin and Token Apps

These are actions performed by Google site administrators.

EventDescription
USER_SETTINGSThese are actions performed at the individual user level, such as CREATE_USER, DELETE_USER, CHANGE_PASSWORD.

A specific type of individual user action is CREATE_DATA_TRANSFER_REQUEST. This typically occurs after a user has been deleted, and the user’s contents, such as Drive, are transferred to that user’s manager.

GROUP_SETTINGSThese are actions such as adding and removing users from groups.
OtherOther types of actions take place, but they are less common (for example, CHROME_OS_SETTINGS, DEVICE_SETTINGS).

Google Workspace Drive App

The Google Drive app logs come in two types: Access and acl_change. A single user action in Drive may generate several events. Of these, one is the primary event and the rest are side effects of that event. We look for the primary event.

Access types are such as viewing and downloading a document or folder. They also include creating, uploading, renaming, editing, and moving content.

Acl_change types include who can edit a document or folder, including scope changes like what you do here:

google_scope

For document type (doc_type), Google only recognizes its own documents (for example, Document, Spreadsheet, and Presentation). Other document types (such as Excel, PDF, and MP4) are classified as unknown. In a Drive Dashboard Panel, we capture the Google types, and then use the file extension to classify the other types that would otherwise be displayed as unknown.

Google Workspace Alert Center

Google Workspace Alert Center, allowing you to investigate and correlate alerts and monitor potential threats across all Google Workspace apps. All the alerts are in JSON format. Most of the alerts have few common fields like alertId, customerId, createTime, source, type and data. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information about different alert types refer this Google Workspace Alert document.

Sumo Logic YouTubeSumo Logic Twitter
Legal
Privacy Statement
Terms of Use

Copyright © 2022 by Sumo Logic, Inc.