Google Workspace Reports: Google Meet Activity Logs Restored After Polling Window Gap

What Changed

A single field, queryWindowDelayInMin: 30, was added to the Google Meet activity poller block in GoogleWorkspaceReports_PollingConfig.json. The existing queryWindowInMin remains at 10 minutes; the delay parameter shifts the polling window 30 minutes into the past.

Security Impact (Visibility & Fidelity)

Google Meet audit events are not available in real time via the Google Workspace Reports API. They appear with a latency of up to 30 minutes. Without queryWindowDelayInMin, the CCF poller queried the meet activity stream at or near current time, consistently missing events that had not yet been indexed by Google. The result was a complete ingestion failure for Google Meet activity logs on all affected deployments.

Logs affected include Meet conference join/leave events, recording actions, and administrative changes - activity that may be relevant to insider threat and data exfiltration investigations (MITRE ATT&CK T1213 - Data from Information Repositories; T1567 - Exfiltration Over Web Service when recordings are exported).

With queryWindowDelayInMin: 30 in place, the poller now queries a time window ending 30 minutes ago, ensuring events have had sufficient time to appear in the Google API response before they are requested.

If your deployment runs the Google Workspace Reports connector and relies on Google Meet audit data for detection or investigation, assume a historical gap exists since connector installation. Review whether any detections or hunting queries reference Meet activity; retroactive log ingestion is not automatic.

Affected Files

Solutions/GoogleWorkspaceReports/Data Connectors/GoogleWorkspaceTemplate_ccp/GoogleWorkspaceReports_PollingConfig.json
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, Solution_GoogleWorkspaceReports.json, mainTemplate.json)