Sumo Logic provides real-time visibility, investigation and response of G Suite Alerts

G Suite is Google’s integrated suite of secure, cloud-native collaboration and productivity apps. Some of the most popular apps from the suite are Gmail, Docs, Calendar, and Drive.

Currently, Sumo Logic has a successful integration with G Suite: the Sumo Logic app for G Suite that monitors usage, administrator activity, and logins, and is used by over a hundred customers across various parts of the globe.

Last year, Google launched the alert center for G Suite providing a single, comprehensive view of essential security-related notifications, alerts, and actions across G Suite including gmail phishing and malware, account warnings, and device management.

We at Sumo Logic have been actively working with the G Suite team to enhance our existing integration by collecting and analyzing data from the new alert center. Using this data, the enhanced Sumo Logic G Suite App provides a single, comprehensive view of usage, essential notifications, alerts, and actions across all of G Suite.

In this post, we will discuss how the Sumo Logic enhanced app for G Suite can help you accomplish the following goals:

• Monitor alerts and threats identified from the alert center for G Suite in Sumo Logic
• Investigate and correlate G Suite alerts with activity from G Suite and other key business applications
• Automate the response process

Getting started

As part of the integration, Sumo Logic provides a mechanism to customers for analyzing data directly from G Suite via its Reports API and from the alert center using the alert center API. This data can be analyzed using the Sumo Logic enhanced app.

Integrating Alert Center data into Sumo Logic

Sumo Logic can integrate data in from the alert center either via a Google Cloud Function or a script running on a machine. Depending on which method you use, you can invoke periodic collection via the Google Cloud Scheduler or a crontab script, and send data to a Sumo Logic HTTP source as shown in the figure below:

Once you have configured this collection, the app for G Suite can be installed to analyze alerts via out of the box dashboards. 

Using the App dashboards

Let’s look at an example that shows how you can use the app to identify users with compromised credentials, understand the extent of a compromise, identify an attacker, and also automate the response going forward.

The Sumo Logic G Suite Overview app dashboard shows an overview of all activity across G Suite including alerts from alert center.

In the Total Alerts panel, you can see a number of alerts reported by alert center that you will want to drill down into.

Once you get into the Sumo Logic Alert Center Overview app dashboard, you can see users whose credentials have been compromised. To investigate the extent of the compromise, you can drill down further into the Alert Center Investigations dashboard as shown below.

In the Sumo Logic G Suite - Alert Center - Investigations dashboard, you can filter out all activities performed by the compromised user (dominic@poi.com).

On this dashboard, you can see various G Suite applications used by the compromised user in the G Suite Apps Accessed by Compromised Users panel. You can also understand all the activities they performed in the G Suite Activity by Users with Compromised Credentials panel.

In the Action on Compromised Devices and Users panel, there are instructions that lead you to the steps for suspending the compromised user.

You can also use this dashboard for keeping track of all G Suite Activities from Compromised Devices and understand how to block a device.

To continue to analyze all data exfiltration activities, you can also view this user’s activity in the G Suite - Drive - User Activity dashboard and identify all users with whom content has been shared.

After examining the G Suite activity of compromised users, you may also want to further investigate the extent of a compromise by investigating whether this user has accessed other business applications. In this example, you can see all the reports downloaded from Salesforce.com by a compromised user detected by Alert Center.

Going forward, to prevent these kinds of attack scenarios from happening again, you can develop a search using Sumo Logic sub-queries as shown below to automatically correlate alerts from Alert Center with user activity on other data sources such as Salesforce.com.

You can now convert this search to a scheduled search to automate the creation of an incident in your incident response tool such as ServiceNow or PagerDuty, when you detect these kinds of events going forward.

So once you’ve identified the user and the extent of their activity after the compromise, the next step is to identify how this user could have been compromised in the first place.

To investigate, whether the user was subject to a phishing attack, use the Sumo Logic G Suite - Alert Center - Gmail Phishing app dashboard.

In this example, you can observe multiple phishing attacks on the compromised user by the attacker harold@maldomain.com. Your G Suite administrators can now block all email traffic coming from the attacker or their domain going forward to prevent these kinds of attacks from happening again.

You can also block the attacker’s email by following the instructions for Blocking Senders by Email section in G Suite Email Action panel.

Key Takeaways

In this blog post, we showed how you can use the Sumo Logic G Suite integration to do the following:

• Monitor alerts and threats identified from the alert center for G Suite in Sumo Logic
• Investigate and correlate G Suite alerts with activity from G Suite and other key business applications
• Automate the response process

The Sumo Logic enhanced app for G Suite and the Sumo Logic platform provides the ability to monitor and analyze security alerts across all of G Suite.

Get started

If you don’t have a Sumo Logic account yet, you can sign up for a free trial today. 

Additional Resources

For more great security and DevSecOps-focused reads, check out the Sumo Logic blog.

Learn more about our new Cloud SIEM solution.

Download the 2018 State of Modern Applications & DevSecOps in the Cloud report to get the latest data-driven insights, best practices, and year-over-year trends of how our 2,000+ customers are building and managing their modern applications and cloud infrastructures.