Team: Managed Identity Threat Detection and Response (ITDR)
Product: Google Workspace
Summary: Understand the permissions required to run the Huntress Managed ITDR integration for Google Workspace.
Overview
Just like with Managed ITDR for Microsoft 365, in order for Huntress to pull data from email services, certain degrees of permissions are required. This guide will break down those permissions to help you understand what data we are looking for, and how we are accessing it.
In this Article
Super Admin Requirements
Sensitive Scope Justification
Restricted Scope Justification
Gmail Scope Justification
Super Admin Requirements
To perform the setup, you must be signed in to your Google Admin console as a Super Administrator. Standard administrator accounts do not have sufficient permissions to authorize domain-wide delegation. This administrator account must remain active and must retain super admin privileges for the ITDR integration to function correctly.
Sensitive Scope Justification
Huntress ITDR is a security monitoring product that is a managed service and helps our SMB customers detect abuse of users through Google Workspace application abuse.
The following sensitive scopes are required to detect malicious activity occurring in GWS identities in the following manner:
| Scope | Justification |
|---|---|
| auth/admin.directory.device.chromebrowsers.readonly | Old, vulnerable versions of Chrome Browsers |
| auth/admin.directory.device.chromeos | Old, vulnerable versions of Chrome OS |
Restricted Scope Justification
Huntress ITDR is a security monitoring product that is a managed service and helps our SMB customers detect abuse of users through Google Workspace application abuse.
These restricted scopes are required to detect anomalous and/or malicious Google Drive activity associated with threat actor data exfiltration activities
| Scope | Justification |
|---|---|
| auth/drive.metadata.readonly | For key header information |
| auth/drive.readonly | For malicious payloads including malware or malicious URLs |
Specifically, they enable Huntress to better detect threat actors who:
- compromise a user account or OAuth token
- enumerates sensitive Drive content (metadata access)
- performs bulk read operations to stage or mirror data externally
- avoids writes, shares, or permission changes to stay stealthy
Gmail Scope Justification
Huntress ITDR is a security monitoring product that is a managed service and helps our SMB customers detect abuse of users through Google Workspace application abuse.
These scopes will be used to identify and remediate malicious phishing emails from identity mailboxes.
| Scope | Justification |
|---|---|
| auth/gmail.modify | Allows our customers to manually bulk delete mass spam/phishing emails that were sent internally as part of a BEC attack |
| auth/gmail.readonly | Allows our product to detect abuse such as Outbound Spam or maliciious inbox/filter manipulation |
| auth/gmail.settings.sharing | Allows us to detect evasive threat actor behaviors such as delegation of mailbox access to threat actors as a means of persistence |