Google Workspace email logs
Jutsu collects Google Workspace email and admin activity and converts it into alerts, so suspicious mail flow and account events show up alongside the rest of your telemetry.
Overview
A poller periodically fetches Google Workspace email and admin logs, classifies the activity, and turns relevant events into Jutsu alerts — for example, phishing indicators and suspicious login signals. The poller authenticates with a Google Workspace credential and runs on the Jutsu side, so there is nothing to install on your Workspace tenant beyond granting access.
What this enables
Once the poller is connected, Jutsu:
- Surfaces email and admin activity as alerts with Google Workspace as the source.
- Highlights phishing and suspicious-login signals derived from Gmail and admin events.
- Feeds those alerts into the same triage, correlation, and response loop as every other source.
Prerequisites
Before you start, make sure you have:
- A Google Workspace credential connected in Jutsu — set this up in the Google Workspace integration.
- An admin role in your Jutsu organization to connect the source.
- Workspace admin consent to grant Jutsu read access to the relevant email and admin activity.
Confirm the exact scopes and consent steps against your deployment.
Connect
- Connect your Google Workspace credential first — follow Google Workspace to authorize Jutsu.
- In Jutsu, enable the Google Workspace email logs source and select the credential to use.
- Jutsu's poller begins fetching email and admin activity on a regular interval and converting relevant events into alerts.
The polling interval and available activity types depend on your deployment and granted scopes. Confirm them in your Jutsu integration screen.
Verify
After connecting, confirm the pipeline end to end:
- Generate test activity in Workspace (for example, a flagged or suspicious-looking message) that should produce a signal.
- Wait for the next poll cycle to complete.
- In Jutsu, open the Alerts view and confirm alerts appear with Google Workspace as the source.
Troubleshooting
If no alerts arrive after a poll cycle, work through the most common causes:
| Symptom | Likely cause | Fix |
|---|---|---|
| No alerts arriving | Credential missing or expired | Reconnect the credential in Google Workspace. |
| No alerts arriving | Insufficient scopes or consent | Re-grant admin consent so Jutsu can read the required email and admin activity. |
| No alerts arriving | Source not enabled | Confirm the Google Workspace email logs source is enabled and points at the right credential. |
| Only some events appear | Activity below alert thresholds | Generate higher-signal test activity and confirm it falls within the monitored types. |
| Alerts delayed | Waiting on the next poll cycle | Allow a full interval; the poller fetches on a schedule rather than in real time. |
If alerts still don't appear, confirm the credential's scopes and the poller's status against your deployment before opening a support request.
Related
- Google Workspace — set up the credential this source depends on.
- Alerts — work Google Workspace alerts once data is flowing.
- Integrations — see all available and roadmap sources.