---
title: "Sumo Logic provides real-time visibility, investigation and response of g suite alerts"
page_name: "Sumo Logic provides real-time visibility, investigation and response of G Suite Alerts"
type: "blog"
slug: "g-suite-alerts"
published_at: "2019-06-20"
modified_at: "2025-05-09"
url: "https://www.sumologic.com/blog/g-suite-alerts"
canonical: "https://www.sumologic.com/blog/g-suite-alerts"
markdown_url: "https://www.sumologic.com/blog/g-suite-alerts.md"
lang: "en"
excerpt: "Sumo Logic app for G Suite monitors usage, administrator activity, and logins, and is used by over a hundred customers across various parts of the globe."
taxonomy_blog_category:
  - "DevOps &amp; IT Operations"
  - "GCP"
  - "SecOps &amp; Security"
---

[ All blogs ](https://www.sumologic.com/blog "blog")[DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations), [GCP](https://www.sumologic.com/blog/gcp), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

# Sumo Logic provides real-time visibility, investigation and response of G Suite Alerts

[Himanshu Pal and Rishi Divate](#blog-author-block-147)

June 20, 2019

4 min read 

[DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations), [GCP](https://www.sumologic.com/blog/gcp), [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

##### Table of contents

 

 

 

G Suite is Google’s integrated suite of secure, cloud-native collaboration and productivity apps. Some of the most popular apps from the suite are Gmail, Docs, Calendar, and Drive.

Currently, Sumo Logic has a successful integration with G Suite: the Sumo Logic app for G Suite that monitors usage, administrator activity, and logins, and is used by over a hundred customers across various parts of the globe.

Last year, Google launched the alert center for G Suite providing a single, comprehensive view of essential security-related notifications, alerts, and actions across G Suite including gmail phishing and malware, account warnings, and device management.

We at Sumo Logic have been actively working with the G Suite team to enhance our existing integration by collecting and analyzing data from the new alert center. Using this data, the enhanced Sumo Logic G Suite App provides a single, comprehensive view of usage, essential notifications, alerts, and actions across all of G Suite.

In this post, we will discuss how the Sumo Logic enhanced app for G Suite can help you accomplish the following goals:

- Monitor alerts and threats identified from the alert center for G Suite in Sumo Logic
- Investigate and correlate G Suite alerts with activity from G Suite and other key business applications
- Automate the response process

## Getting started

As part of the integration, Sumo Logic provides a mechanism to customers for analyzing data directly from G Suite via its Reports API and from the alert center using the alert center API. This data can be analyzed using the Sumo Logic enhanced app.

**Integrating Alert Center data into Sumo Logic**

Sumo Logic can integrate data in from the alert center either via a Google Cloud Function or a script running on a machine. Depending on which method you use, you can invoke periodic collection via the Google Cloud Scheduler or a crontab script, and send data to a Sumo Logic HTTP source as shown in the figure below:

Once you have configured this collection, the app for G Suite can be installed to analyze alerts via out of the box dashboards.

## Using the App dashboards

Let’s look at an example that shows how you can use the app to identify users with compromised credentials, understand the extent of a compromise, identify an attacker, and also automate the response going forward.

The Sumo Logic G Suite Overview app dashboard shows an overview of all activity across G Suite including alerts from alert center.

In the Total Alerts panel, you can see a number of alerts reported by alert center that you will want to drill down into.

Once you get into the Sumo Logic Alert Center Overview app dashboard, you can see users whose credentials have been compromised. To investigate the extent of the compromise, you can drill down further into the Alert Center Investigations dashboard as shown below.

In the Sumo Logic **G Suite – Alert Center – Investigations** dashboard, you can filter out all activities performed by the compromised user (dominic@poi.com).

On this dashboard, you can see various G Suite applications used by the compromised user in the **G Suite Apps Accessed by Compromised Users** panel. You can also understand all the activities they performed in the **G Suite Activity by Users with Compromised Credentials** panel.

In the **Action on Compromised Devices and Users** panel, there are instructions that lead you to the steps for suspending the compromised user.

You can also use this dashboard for keeping track of all G Suite Activities from Compromised Devices and understand how to block a device.

To continue to analyze all data exfiltration activities, you can also view this user’s activity in the G Suite – Drive – User Activity dashboard and identify all users with whom content has been shared.

After examining the G Suite activity of compromised users, you may also want to further investigate the extent of a compromise by investigating whether this user has accessed other business applications. In this example, you can see all the reports downloaded from Salesforce.com by a compromised user detected by Alert Center.

Going forward, to prevent these kinds of attack scenarios from happening again, you can develop a search using Sumo Logic sub-queries as shown below to automatically correlate alerts from Alert Center with user activity on other data sources such as Salesforce.com.

You can now convert this search to a scheduled search to automate the creation of an incident in your incident response tool such as ServiceNow or PagerDuty, when you detect these kinds of events going forward.

So once you’ve identified the user and the extent of their activity after the compromise, the next step is to identify how this user could have been compromised in the first place.

To investigate, whether the user was subject to a phishing attack, use the Sumo Logic **G Suite – Alert Center – Gmail Phishing** app dashboard.

In this example, you can observe multiple phishing attacks on the compromised user by the attacker harold@maldomain.com. Your G Suite administrators can now block all email traffic coming from the attacker or their domain going forward to prevent these kinds of attacks from happening again.

You can also block the attacker’s email by following the instructions for **Blocking Senders by Email** section in **G Suite Email Action** panel.

## Key Takeaways

In this blog post, we showed how you can use the Sumo Logic G Suite integration to do the following:

- Monitor alerts and threats identified from the alert center for G Suite in Sumo Logic
- Investigate and correlate G Suite alerts with activity from G Suite and other key business applications
- Automate the response process

The Sumo Logic enhanced app for G Suite and the Sumo Logic platform provides the ability to monitor and analyze security alerts across all of G Suite.

### Article Tags

- [DevOps &amp; IT Operations](https://www.sumologic.com/blog/devops-it-operations)
- [GCP](https://www.sumologic.com/blog/gcp)
- [SecOps &amp; Security](https://www.sumologic.com/blog/secops-security)

Himanshu Pal and Rishi Divate

View more posts by [Himanshu Pal](https://www.sumologic.com/resource/blog/author/hpal/) and [Rishi Divate](https://www.sumologic.com/resource/blog/author/rdivate/).

[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Sumo%20Logic%20provides%20real-time%20visibility%2C%20investigation%20and%20response%20of%20G%20Suite%20Alerts&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fg-suite-alerts "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fg-suite-alerts "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fg-suite-alerts "Linkedin")

[Previous blog

What is NGINX?](https://www.sumologic.com/blog/what-is-nginx)[Next blog

3 key takeaways on Cloud SIEM from Gartner Security &amp; Risk Management Conference 2019](https://www.sumologic.com/blog/cloud-siem-gartner-security-risk-management-conference-2019)

People who read this also enjoyed

[  

Sumo Logic AWS Region European Sovereign Cloud is now generally available

June 2, 2026

 

 ](https://www.sumologic.com/blog/sumo-logic-aws-region-european-sovereign-cloud-generally-available)[  

How to secure cloud workloads without building a full-scale SOC

April 30, 2026

 

 ](https://www.sumologic.com/blog/secure-cloud-workloads-with-limited-resources)[  

Join operator and Query Agent for smarter log analysis

April 22, 2026

 

 ](https://www.sumologic.com/blog/using-the-join-operator)[  

92% of security leaders say their SIEM is effective. 51% say it’s exceptional. What’s living in that gap?

April 16, 2026

 ](https://www.sumologic.com/blog/from-effective-to-exceptional-siem)

[AI Instructions](https://www.sumologic.com/ai-instructions.md)