Google Workspace Drive is the place data leaves an MSP client without anyone noticing. A user grants Edit access to a personal Gmail address. A departing engineer copies a Shared Drive's entire contents to a personal account in their last two weeks. A compromised user generates an "Anyone with the link" sharing link on a Drive of accounting records. Google Workspace records every one of those events in the audit log. Almost nobody reads it.
Lavawall®'s Google Drive change-monitoring module consumes the Google Workspace Reports API and the Drive Activity API on a continuous cycle per tenant. The same patterns that matter on SharePoint matter on Drive: mass downloads, anomalous external sharing, sensitive-folder access bursts, sharing-link generation by users who normally don't. Each event is correlated with the actor's other Google Workspace activity, the endpoint they signed in from (via the Lavawall® agent), and the rest of the Google Workspace breach-detection findings.
What it monitors
- Every Drive activity event. File created, modified, viewed, downloaded, deleted, moved, copied, renamed, restored from trash, permanently deleted — with actor email, source IP, file or folder identifier, and Drive scope (My Drive vs Shared Drive).
- External sharing. Sharing to an external Google account, to a personal Gmail address, to a non-Google address, anonymous-link generation, link-target-audience changes. The change feed shows the actor, the recipient, the file, and the permission level (viewer / commenter / editor / owner).
- Mass-download detection. A user downloading N files in M minutes from a Drive they don't normally access. Threshold configurable per Drive; the breach-detection module raises a high-severity finding when triggered.
- Departing-employee pattern. Pre-defined detection for the "copy the Drive to my personal account before I leave" pattern — bulk owner-transfers, broad sharing-link generation, mass downloads, and similar.
- Ransomware-encryption pattern. Mass-modify events with content-replacement patterns characteristic of Drive ransomware. Drive's revision history gives the recovery path; Lavawall®'s detection gives the time-to-detect.
- Shared Drive membership changes. Members added, removed, or promoted on a Shared Drive — correlated with the actor's Google Workspace identity activity. The same data feeds the AD & M365 user reporting module's privilege-creep view extended to Google Workspace.
- Drive sharing-policy changes. Domain-level and OU-level sharing policy changes (external sharing enabled, anonymous links allowed, target-audience widened) are captured separately from the file-level events so the MSP can see the policy change that enabled the subsequent activity.
How it works
Google Workspace integration. The module shares its OAuth-delegated service account with the Lavawall® Google Workspace breach-detection module. One tenant onboarding covers both. Read-only Drive Activity API and Reports API scopes; no write access to Drive content.
Ingestion cadence. The Reports API and Drive Activity API are polled per tenant on a configurable cycle (typically 15–30 minutes). High-severity detections (mass download, anomalous external share, departing-employee pattern) trigger immediate notification through the Lavawall® notifications framework.
Endpoint correlation. A file-download event correlated with a Lavawall®-managed endpoint is materially more informative than the event alone. The change feed shows the endpoint hostname, the signed-in Google account, and the application that initiated the download (Drive sync client, browser, third-party app).
Retention. Google Workspace retains audit data for 180 days on Business / Enterprise plans. Lavawall® ingests on the polling cycle and retains for the contract term, with export available in CSV, JSON, and the Lavawall®-native evidence-bundle format.
Audit and compliance use
Drive activity feeds the same compliance evidence base as the SharePoint module — SOC 2 access controls, HIPAA audit controls, NIST 800-171 audit-and-accountability requirements, the Canadian privacy bundle (PIPEDA / Alberta PIPA / BC PIPA / Quebec Law 25), ISO 27001 monitoring controls. Reports are filterable by client, by Drive, by user, and by date range.
Frequently asked
- Does this cover Google Shared Drives?
- Yes. The Drive Activity API surfaces events for both My Drive (per-user) and Shared Drives (team-owned). Lavawall® shows both in the same change feed with a scope filter.
- What about external sharing to non-Google accounts?
- Covered. Drive sharing to an external Google account, a personal Gmail address, or an external non-Google address (via the "Anyone with the link" option, or via a per-file share) is captured with the actor, the recipient, the file or folder, and the permission level. Anonymous-link generation is flagged separately because it is a higher-risk pattern than a named-recipient share.
- How does this compare to Google Workspace's native audit log?
- Google Workspace retains audit data for 180 days on Business / Enterprise plans. Lavawall® ingests the same data, retains it for the contract term, surfaces alerts the native console does not produce (mass downloads, anomalous sharing, ransomware-encryption patterns on Drive), and correlates Drive activity with the endpoint the user signed in from.
- Is mass-download detection supported?
- Yes — the breach-detection module raises a high-severity finding when a user downloads N files in M minutes from a Drive they don't normally access, with thresholds configurable per Drive.
- Can this catch the "departing-employee export" pattern?
- It is one of the defined detection patterns. A user adding their personal Gmail address to a shared Drive, downloading the entire Drive contents to their local machine, or generating broad anonymous sharing links in their last two weeks of employment is exactly what the module is built to catch.