Google Workspace Integration
Overview
This integration collects login events, Drive file activity, OAuth app authorizations, admin console changes, and Gmail phishing alerts from Google Workspace via the Admin SDK Reports API.
Supported services: Gmail, Google Drive, Calendar, Admin Console
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- Google Workspace Business Starter plan or higher
- Google Workspace super admin access
- A Google Cloud project with Admin SDK API enabled
Configuration
Step 1: Create a Service Account
- Go to Google Cloud Console
- Create a project and enable the Admin SDK API
- Create a service account under IAM & Admin > Service Accounts
- Generate a JSON key for the service account
Step 2: Delegate Domain-Wide Authority
- In the Google Admin console, go to Security > API Controls > Domain-wide Delegation
- Add the service account Client ID with the following scopes:
https://www.googleapis.com/auth/admin.reports.audit.readonlyhttps://www.googleapis.com/auth/apps.alerts
Step 3: Verify API Access
GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/loginAuthorization: Bearer <OAuth2_token>Step 4: Provide Credentials to KYRA MDR
Upload the service account JSON key in the KYRA MDR integration settings.
Collected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| Login success/failure | Account takeover, brute force detection | Critical |
| Suspicious login | Google-detected anomalies (foreign IP, new device) | Critical |
| MFA events | MFA bypass attempt detection | High |
| Drive external sharing | Data exfiltration detection | Critical |
| Drive bulk download | Pre-resignation data theft | High |
| OAuth app authorization | Malicious app access detection | High |
| Admin setting changes | Security policy weakening detection | High |
| Gmail phishing alerts | Phishing email detection | Critical |
| Password changes | Post-compromise credential changes | High |
Troubleshooting
API Authentication Errors
- Verify the service account JSON key is valid
- Ensure domain-wide delegation is configured with the correct scopes
- Confirm the Admin SDK API is enabled in the Google Cloud project
Missing Events
- Some events require Google Workspace Business Plus or Enterprise licenses
- Alert Center API events require separate enablement
For additional help, contact kyra@seekerslab.com.