+3Hey,
I am unable to find spam classification from Google workspace activity logs ingested to our Google Secops SIEM. Is there're any related field that I need to look into or any additional configuration required to fetch it?
It's retrieved from admin.google.com > reporting > Email log search
+8Hi ,
How do you perform log collection from Google Workspace? Are you using direct ingestion as described in the following link?
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Or are you collecting Google Workspace logs by setting up a SecOps feed, as shown here?
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs
From my experience, direct ingestion provides more data than the feed (for example :feed methods cannot ingest gmail application logs) — this is also what’s recommended in the documentation:
+3Hi ,
How do you perform log collection from Google Workspace? Are you using direct ingestion as described in the following link?
https://cloud.google.com/chronicle/docs/ingestion/cloud/workspace-to-chronicle
Or are you collecting Google Workspace logs by setting up a SecOps feed, as shown here?
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs
From my experience, direct ingestion provides more data than the feed (for example :feed methods cannot ingest gmail application logs) — this is also what’s recommended in the documentation:
We use direct ingestion, yet I do not have much of it. Anyway, I have a support ticket opened for this case. If I hear back anything from them, will update here.
+4can you give a try for the UDM field:
https://cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultsecuritycategory
SecurityResult.SecurityCategory = "MAIL_SPAM"
maybe something like this:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
