Google Gmail Logs Integration
Overview
Google Gmail provides email services with comprehensive admin and security logs available through Google Workspace. KYRA MDR collects Gmail log events via the Reports API for email security monitoring. Requires Google Workspace Business or Enterprise.
Prerequisites
- A KYRA MDR Collector installed and running
- Google Workspace account with Super Admin role
- Service account with domain-wide delegation
- Reports API enabled in Google Cloud Console
Configuration
Configure Google Workspace Gmail log collection:
- Create a service account in Google Cloud Console
- Enable domain-wide delegation
- In Google Workspace Admin > Security > API Controls > Domain-wide Delegation, add the service account with scope:
https://www.googleapis.com/auth/admin.reports.audit.readonly
- Configure the KYRA MDR collector:
sources: - type: gmail service_account_file: /path/to/service-account.json delegated_admin: admin@yourdomain.com poll_interval: 300s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Login | Gmail authentication events | Access monitoring, brute force |
| Email Sent | Outbound email events | Data exfiltration monitoring |
| Email Received | Inbound email events | Phishing detection |
| Spam/Phishing | Flagged email events | Threat detection |
| DLP | Data loss prevention matches | Sensitive data protection |
| Admin | Gmail admin setting changes | Security policy monitoring |
Troubleshooting
No log data: Gmail logs require Google Workspace Business or Enterprise.
Service account errors: Ensure domain-wide delegation is properly configured with the correct scopes.
Data availability: Gmail log data may have a delay of several hours.
Contact kyra@seekerslab.com for support.