GWS is configured to push logs into a GCP BQ table. This is pulled into the SIEM.

The attachment name is not in GCP BQ - so GWS is not sending it as far as I can tell.

It is currently set up as per this: https://support.google.com/a/answer/7233312?hl=en

What @PaulH_uk said. Follow that guide and then make sure to check the mail log schema for BQ here:

https://support.google.com/a/answer/7230050

Pay special attention to these fields:

message_info.attachment
message_info.attachment.file_extension_type

If set up as per Paul's link, these should show up in your BQ table. 

Since you are feeding a SIEM, these two might be of interest as well:

message_info.attachment.malware_family
message_info.attachment.sha256

The last one is nice to correlate with any XDR/EDR feeds.

Sorry, should have said - that was me providing a link to how it is currently configured. (I responded to your message)

We already have "message_info.attachment.file_extension_type" working, along with the other 2 you mention. However, "message_info.attachment"  doesn't appear to have any values or fields for the attachment name

---

@PaulH_uk wrote:

Sorry, should have said - that was me providing a link to how it is currently configured. (I responded to your message)

---

Haha... oh my god... how did I not see that? Sorry about that. It's been a busy day, is my only excuse 😄 

---

@PaulH_uk wrote:

We already have "message_info.attachment.file_extension_type" working, along with the other 2 you mention. However, "message_info.attachment"  doesn't appear to have any values or fields for the attachment name

---

Hm, that's really odd. Then I am out of ideas, I'm afraid. Unless someone else jumps in, your best option would be contacting Google support. 

You can open a ticket here:
https://support.cloud.google.com/portal/