BitLyft Air: Google Workspace
Google Workspace Remediation Actions
Account Security & Compromise Response
| Action | Description | Use Case |
|---|---|---|
| Log out user | Logs a user out of all active sessions in Google Workspace. | Used when account compromise is suspected to immediately terminate attacker access and invalidate active sessions. |
| Reset User Password | Resets a user’s password in Google Workspace. | Used during incident response to secure compromised accounts and prevent further unauthorized access. |
| Disable User | Suspends a user account in Google Workspace, preventing login and access. | Used to immediately block access for compromised users, insider threats, or during offboarding processes. |
| Enable User | Restores access to a previously suspended user account. | Used after resolving security incidents or reinstating access for legitimate users. |
Identity & Directory Visibility
| Action | Description | Use Case |
|---|---|---|
| List Users | Lists all users in a Google Workspace organization. | Supports investigations, compliance reporting, and incident triage by providing full visibility into user accounts and identities. |
| Total Users Count | Retrieves the total number of users in the Google Workspace organization. | Useful for audits, licensing validation, or detecting anomalies such as unauthorized account creation. |
Email Security & Phishing Response
| Action | Description | Use Case |
|---|---|---|
| Email Subject Line Count | Counts the number of messages with a specific subject line in a user's mailbox. | Helps identify phishing campaigns by determining how widely a malicious or suspicious email has spread across users. |
| Quarantine Email - Subject Line | Moves all messages with the specified subject to the Spam folder for targeted users. | Used to quickly contain phishing campaigns by removing known malicious emails based on subject line. |
| Quarantine Email - Sender Address | Moves all messages from a specified sender to the Spam folder for targeted users. | Blocks known malicious senders and prevents further interaction with harmful emails or attachments. |
Email Forwarding & Data Exfiltration Prevention
| Action | Description | Use Case |
|---|---|---|
| Get Forwarding Addresses | Retrieves configured forwarding addresses for a Google Workspace user. | Used to detect potential data exfiltration by identifying unauthorized email forwarding rules. |
| Delete Forwarding Address | Removes a specific forwarding address from a user’s mailbox configuration. | Used to stop data leakage by removing unauthorized forwarding destinations discovered during investigations. |
| Delete All Forwarding Addresses | Removes all forwarding addresses configured for a user. | Used during incident response to fully eliminate unauthorized forwarding and secure compromised accounts. |
Google Workspace Security Policies (Detection Coverage)
The Google Workspace integration includes detection policies designed to identify identity threats, data exfiltration, administrative misuse, and risky configuration changes.
Identity & Account Compromise
- High number of failed authentication attempts
- Abnormal number of password resets
- User suspended from sending email
These detections help identify credential abuse, brute-force attempts, and compromised accounts.
Privilege & Administrative Changes
- High number of accounts deleted
- User granted admin privileges
- Role modified or deleted
- Privilege role deleted
- Domain API access granted
These alerts help detect unauthorized administrative actions, privilege escalation, and identity governance risks.
Email Security & Data Leakage
- Email forwarding to external domain rule changes
This detection helps identify potential data exfiltration through unauthorized email forwarding.
Cloud Storage & Data Exfiltration
- High number of files downloaded from Google Drive
- High number of files downloaded by a single account
- Suspicious OAuth app Drive activity
- Modification of privileges on Drive documents
These detections help identify large-scale data access, insider threats, and unauthorized file sharing or access changes.
Tenant & Application Changes
- New shared Drive created
- Application removed
These detections provide visibility into structural or application-level changes that could impact data access or security posture.
Automated Security Playbooks
Google Compromised User Account
Purpose:
Mitigates the impact of suspected account compromise by automating key containment actions.
Key Actions:
- Log out user sessions
- Reset user password
Usefulness:
- Immediately cuts off unauthorized access
- Secures compromised credentials
- Reduces response time during identity incidents
Google Phishing Email Containment and Remediation
Purpose:
Detects, contains, and remediates phishing threats within Google Workspace.
Key Actions:
- Quarantine emails by subject or sender
- Identify forwarding rules
- Remove malicious forwarding configurations
- Log out affected users
- Reset compromised passwords
Usefulness:
- Rapidly contains phishing campaigns
- Prevents further user interaction with malicious emails
- Restores compromised accounts to a secure state
Updated 6 days ago