Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Google Workspace

Google Workspace
Google Workspace icon

Coralogix Extension For Google Workspace Includes:

Dashboards - 1

Gain instantaneous visualization of all your Google Workspace data.

Google Workspace Metrics Dashboard
Google Workspace Metrics Dashboard

Alerts - 28

Stay on top of Google Workspace key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

API Access Granted via Domain-wide Delegation of Authority

Detects when a domain-wide delegation of authority is granted to a service account. Impact Domain-wide delegation can be configured to grant third-party and internal applications access to data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target's data. Mitigation Validate that the action was made by an authorized user and investigate further if not, including any action taken by the privileged service. MITRE Tactic: TA0003 MITRE Technique: T1098

Application Added to Workspace Domain

Detects when a Google marketplace application is added to the Google Workspace domain. Impact An adversary may add a malicious application to an organization's Google Workspace domain in order to maintain a presence in their target's organization and steal data. Mitigation Review the added application and validate if it was added by an authorized user. If not, investigate and revert changes if needed. MITRE Tactic: TA0002 MITRE Technique: T1072

More Than 5 Failed Login Attempts in 10 Minutes for Same User

Detects when there are more than 5 failed login attempts in 10 minutes for a same user. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to login. If it wasn't investigate further the source of the login attempt to determine a possible compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Domain Added to Google Workspace Trusted Domains

Detects when a domain is added to the list of trusted Google Workspace domains. Impact An adversary may add a trusted domain in order to collect and exfiltrate data from its target's organization with less restrictive security controls. Mitigation Inspect the added domain and verify that if it is a legitimate domain which was added by legitimate user. It is advised to verify with the user that the action was performed by him and was as intended. MITRE Tactic: TA0004 MITRE Technique: T1484 MITRE Sub-technique: 002

Role modified

Detects when a custom admin role or its permissions are modified. Impact An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in its target's environment. Modifying permission of an admin should be reviewed and validated for an authorized action. Privilege escalation of an existing compromised user or removing permissions of an existing admin are know attacker tactics. Mitigation Review the changed permissions (added/removed) and validate with the admin if the actions were authorized. Investigate further if not. MITRE Tactic: TA0003 MITRE Technique: T1098

New User Created

Detects when a user is created. This alert should be fine tuned according to your organizational policy. Impact A creation of a user if usually a legitimate operation, but adversaries also create their own accounts for persistence and evasion. Therefore user creation actions should be monitored and validated as legitimate. Mitigation Validate with the user that created the account that the action was legitimate, revert and further investigate user actions if not. MITRE Tactic: TA0003 MITRE Technique: T1098

User Deleted

Detects when a user is deleted. This alert should be fine tuned according to your organizational policy. Impact User deletion should be verified as legitimate in order to avoid accidental deletion or malicious intention by an adversary. Mitigation Verify with the user who initiated the deletion action that it was intentional and legitimate, revert and investigate further if not. MITRE Tactic: TA0040 MITRE Technique: T1531

10 or More Files Deleted in 5 minutes by the Same User

Detects when an abnormal number of files that were deleted by a single user. This alert should be fine-tuned to your organizational needs and policy. Impact Multiple delete files action by the user should be inspected as it could be an adversary or insider covering their tracks or deleting important information to harm the organization. Mitigation Investigate which all and how many files were deleted and decide if the actions looks suspicious. If a user has been recently fired, it can also indicate an insider destroying important information before leaving. If the delete actions were not allowed, block user, revert changes if possible and investigate further. MITRE Tactic: TA0040 MITRE Technique: T1485

MFA was Disabled For a User

Detects when a Google Workspace MFA policy is disabled for a user. Impact An adversary may disable MFA enforcement in order to weaken an organization's security controls. Mitigation Investigate the policy change and the user who disabled the service and determine if the action was authorized. If not, re-enable MFA and investigate all actions performed by the user during the time MFA was off for malicious activity. MITRE Tactic: TA0003 MITRE Technique: T1556

Upload of a PEM certificate to Google Drive detected

This alert detects when a PEM file (certificate) file is uploaded to Google Drive. Impact An uploaded certificate could be legitimate but not a best practice or an adversary uploading his own certificates before malicious use. Mitigation Verify why the certificate was uploaded and the requirement to be uploaded on the cloud. Investigate actions around the upload (as making it public) and the user who uploaded it to rule out any malicious activity. MITRE Tactic: TA0042 MITRE Technique: T1587 MITRE Sub-technique: 003

Exposure of Previously Private PEM Certificate

This alert detects when a PEM file (certificate) file is made public on Google Drive. Impact Certificates are used for secure communication inside a Google Workspace domain. Exposed certificates can allow an attacker to connect to resources while posing as a legitimate user or traffic. Mitigation Verify why was the certificate made public and if the action was legitimate. If it was not, revert changes and investigate further. It is advise to replace a certificate that was exposed for a long period of time. MITRE Tactic: TA0042 MITRE Technique: T1588 MITRE Sub-technique: 004

MFA Enforcement Disabled

Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. Impact An adversary may disable MFA enforcement in order to weaken an organization's security controls. Mitigation Re-enable MFA and investigate the user who disabled the service and all actions performed by users during the time MFA was off for malicious activity. MITRE Tactic: TA0004 MITRE Technique: T1078

MFA Disabled for Google Workspace Organization

Detects when a Google Workspace MFA policy is disabled for the whole organization. Impact An adversary may attempt to modify the MFA policy of the organization to easily infiltrate the organization with existing credentials while circumventing the need to authenticate with MFA. Mitigation Immediately re-enable MFA policy and inspect the user who performed the actions and his past activities. Further inspect all users logins and activities while MFA was disabled if the action wasn't approved. MITRE Tactic: TA0004 MITRE Technique: T1078

Password policy modified

Detects when a Google Workspace password policy is modified. Impact An adversary may attempt to modify a password policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user and actions performed by him authorized. Revert and further investigate if not. MITRE Tactic: TA0004 MITRE Technique: T1484

Multiple users originated from a single IP address

This alert detects login attempts on different accounts originating from a single IP address within 1-2 hours. This might indicate that there is a shared user account being used by different users in your organization. This alert should be fine-tuned according to your organizational policy and specific locations (as it is suited for remote working users, not office locations) Impact A shared account is not a security best practice as it is hard to audit the users using it, credentials are shared between multiple users making it more susceptible to loss and being obtained by adversaries. Mitigation According to your company policy, consider closing the shared account or monitor its actions more closely for any malicious behaviour. MITRE Tactic: TA0001 MITRE Technique: T1078

User Login From Multiple Geo Locations

This alert detects successful login from Multiple Geo Locations in 4 hrs. This alert should be fine-tuned according to your organizational policy and specific locations and timeframe. Impact Multiple concurrent connections should be investigated as under normal network operations a user should not be able to connect from two places in the world at once. This could indicate a compromised account being used to connect from different geo locations. In addition, this might also indicate a usage of a shared user account across the organization. Mitigation Inspect the user and locations of the different login attempts and validate with the user if he is actually connecting in parallel. Advanced users might use VPNs or connect to their account from cloud machines, so this needs to be considered while investigating. If the user is not familiar with the second connection, investigate further as it might indicate malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078

No Logs in Last 24 Hrs

This rule detects if there are no logs in last 24 hrs for google workspace in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique: T1562

Account Warning Alert

This alert triggers when Google Alert center triggers warning about particular account and takes action like blocking login, suspending account. The alert contains the Event type: "Account warning" and the action one of the following- Leaked password Risky, sensitive action allowed Risky, senstive action_blocked Suspicious login blocked Suspicious login from less secure app blocked Suspicious programmatic login blocked User suspended User suspended (spam through relay) User suspended (spam) User suspended (suspicious activity) user.target.name will contain the user impacted by the action. Impact These activities shows that the impacted user might be compromised and attacker is using the account for malicious activities. Mitigation This alert should be escalated to the workspace admin and required action will be taken by admin MITRE Tactic: TA0006 MITRE Technique: T1003

Alert Center Govt Backed Attack Warning

This alert triggers when Google Alert center triggers an alert for govt backed attack. Impact User might have been targeted by government-backed attack Mitigation Confirm the origin of the attack. Make sure user have 2FA enabled MITRE Tactic: TA0006 MITRE Technique: T1003

Suspicious Activity Detected on Device

A "Suspicious Activity" alert for a device in Google Workspace typically indicates that there has been unusual or potentially concerning behavior detected on a specific device associated with a user's account within the Workspace environment. Impact This alert is an indicator of device compromised and attacker can use it for gaining access to organization's data Mitigation Action should be taken to secure the account or device, such as revoking access to the device, changing passwords, or performing a security check on the device MITRE Tactic: TA0001 MITRE Technique: T1566

Delegated Admin Role Updated

Detects when delegated admin role is created, assigned, unassigned by the Super Admin of Google workspace Impact Each action associated with delegated admin holds significant importance as it grants users additional capabilities and access within the system Mitigation Validate that the action was legitimate with the admin who initiated the action, revert and further investigate if not MITRE Tactic: TA0040 MITRE Technique: T1531

Important User Changes Detected

This alert detects important changes regarding User Accounts. This will trigger for operations listed in the query. Impact Any changes to the user account by unauthorised user may indicate the account compromise. Mitigation These activities should be validated internally and investigated further if unathorized actions are performed.

File Visibility Changed to External

This rule detects when the file visibility of an internal file changed to external Impact A user with malicious intent might be sharing the sensitive data externally Mitigation The file visibility should be examined if it required public sharing. MITRE Tactic: TA0009 MITRE Technique: T1213

Multiple Email downloads in 30 Mins

This alert detects multiple downloads of eml and msg type files (emails) by a specific user in a specific timeframe (15 emails in 30 minutes). Impact Multiple email downloads may indicate a rough employee that is stealing company data or a unknowingly breaching company policy. Mitigation Inspect the downloaded files and check with the user and his manager if this action was authorized. Further investigate if not. MITRE Tactic: TA0009 MITRE Technique: T1114

Building Block - Successful User Login

This alert triggers whenever there is a successful login to Google Workspace from a user.

(Bruteforce) Login Failures From Different IPs for Same User

Detects when there are login failures for single user from multiple IP addresses in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to login. If it wasn't investigate further the source of the login attempt to determine a possible compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

(Password Spray) Login Failures For Different Users From Single IP

Detects when there are login failures for multiple users from same ip address in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Investigate the failed login attempts and verify with the user that it was him trying to login. If it wasn't investigate further the source of the login attempt to determine a possible compromise. MITRE Tactic: TA0006 MITRE Technique: T1110

Flow Alert - Successful Bruteforce Attack Detected

This alert will detect if there is successful login after multiple failed login attempts for a user. Impact Any successful login after multiple failures may indicate a successful bruteforce attack. Mitigation The login activity should be validated with the concerned user.

Integration

Learn more about Coralogix's out-of-the-box integration with Google Workspace in our documentation.

Read More
Schedule Demo