Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=google-workspace-overview

Google Workspace integration

API Productivity

You can integrate Google Workspace with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Google Workspace product overview

Google Workspace is a comprehensive suite of cloud-based productivity and collaboration tools designed to empower businesses and individuals. It facilitates seamless collaboration and efficient work management through a range of applications, including Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, and more. Google Workspace enables users to access their work anytime, anywhere, fostering a flexible and collaborative work environment while ensuring data security and integrity through advanced security features and compliance standards.

Sophos documents

Integrate Google Workspace

What we ingest

Sample alerts seen by Sophos:

  • User reported phishing
  • Gmail potential employee spoofing
  • Malware reclassification
  • Suspicious logins
  • Suspicious programmatic logins

Filtering

We filter the results to remove irrelevant alert types including the following:

  • Certificate expiry
  • Status updates (for example, outages)
  • Account configuration issues
  • Google Service Announcements (MSAs)
  • Report logging

Sample threat mappings

The alert type is defined by the field "type" - ("value": "{{fields.type}}",)

Here are examples mapped to MITRE ATT&CK.

{"alertType": "Leaked password",  "threatId": "T1078", "threatName": "Valid Accounts"}
{"alertType": "User granted Admin privilege", "threatId": "TA0004", "threatName": "Privilege Escalation"}
{"alertType": "Device compromised", "threatId": "TA0001", "threatName": "Initial Access"}

Vendor documentation