Gmail - Suite

Gmail - Suite of productivity tools for email and collaboration.

Provider: Gmail - Suite

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Project Creation Initial Access, Persistence T1078 - Valid Accounts Medium
Investigation Actions (APIs) Use Admin SDK API to check user login history, including times, IPs, and devices.
Incident Creation Criteria Multiple failed logins from unusual IPs or geolocations.
Successful logins from unfamiliar or risky regions.
Suspicious Email Forwarding Rules Defense Evasion T1114 - Email Collection High
Investigation Actions (APIs) Use Gmail API to retrieve all email forwarding and filter rules.
Validate rule changes.
Incident Creation Criteria New forwarding rule created for external domains.
Forwarding of sensitive or large email volumes to unknown addresses.
Mass Emailing Patterns Exfiltration T1071.003 - Application Layer Protocol Medium
Investigation Actions (APIs) Use Gmail API to inspect email sending history (volume, recipients, etc.).
Incident Creation Criteria Unusually high email volumes sent in a short time.
Emails sent to a large number of external domains.
Sensitive Document Sharing via Gmail Exfiltration, Credential Access T1530 - Data from Cloud Storage High
Investigation Actions (APIs) Use Drive API to check file-sharing permissions.
Review external access history of sensitive documents.
Incident Creation Criteria Sensitive documents shared with external users or public access.
Repeated access or downloads of sensitive data by unauthorized users.
Email Phishing Detection Initial Access T1566.001 - Spearphishing Attachment High
Investigation Actions (APIs) Use Gmail API to review recent email contents and headers.
Analyze sender reputation.
Incident Creation Criteria Emails with suspicious attachments sent to multiple internal users.
Malicious links or abnormal file attachments in emails.
Unusual OAuth App Permissions Persistence, Credential Access T1078.003 - Web Session Cookie Medium
Investigation Actions (APIs) Use OAuth Token Inspector API to review third-party app permissions.
Identify new apps with excessive access.
Incident Creation Criteria OAuth apps with high-level permissions recently added.
Unknown OAuth apps requesting full Gmail or Drive access.
Unapproved File Sharing Platform Exfiltration T1071.002 - File Transfer Protocol Medium
Investigation Actions (APIs) Use Drive API and Gmail API to detect external cloud file-sharing or email attachments.
Incident Creation Criteria Sharing via third-party platforms outside Google Workspace.
High-volume transfers to untrusted domains or platforms.

APIs and Their Scopes

Detection Rule Required API API Scopes
Unusual Login Patterns Admin SDK API (Reports API) https://www.googleapis.com/auth/admin.reports.audit.readonly
Suspicious Email Forwarding Rules Gmail API https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.readonly
Mass Emailing Patterns Gmail API https://www.googleapis.com/auth/gmail.readonly
Sensitive Document Sharing via Gmail Drive API https://www.googleapis.com/auth/drive.metadata.readonly
https://www.googleapis.com/auth/drive.readonly
Email Phishing Detection Gmail API https://www.googleapis.com/auth/gmail.readonly
Unusual OAuth App Permissions OAuth Token Inspector API https://www.googleapis.com/auth/admin.directory.user.security
Unapproved File Sharing Platform Drive API, Gmail API https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/gmail.readonly

Reports and Widgets for CISO

Report Name Widgets Description
Suspicious Login Activity Report Geo-location Map: Visualize login attempts by geolocation. Provides visibility into potentially compromised accounts by highlighting unusual login patterns, locations, and timing.

Failed vs. Successful Logins Chart: Graph of failed and successful login attempts.

Login Time Distribution: Bar chart showing login activity over time.

Risky IP Addresses List: Tabular display of login attempts from unrecognized or flagged IPs.
Email Forwarding and Filters Report Top External Domains (Forwarding): Pie chart showing most forwarded-to external domains. Helps detect possible data exfiltration via unauthorized email forwarding and filter rule changes.

New Email Forwarding Rules: List of new forwarding rules configured over the reporting period.

Email Filter Changes: Summary of recent email filter modifications.

Forwarded Email Volume: Bar graph showing volume of emails forwarded by users.
Mass Emailing and Phishing Report Email Volume Trend: Line graph showing email volume per user. Focuses on email anomalies like mass emails, potential phishing, and external email distribution that could indicate an attack.

External Recipients (High Volume): List of external recipients who received large volumes of emails.

Potential Phishing Attempts: Table with flagged phishing attempts and associated users.

Top Senders: A widget showing users sending the most emails.

Email Attachments Scan Summary: Percentage breakdown of email attachments that could be malware.
Sensitive Document Sharing Report Sensitive Files Shared Externally: List of sensitive Google Drive files shared outside the organization. Monitors the sharing of sensitive information via Gmail and Google Drive, highlighting potential risks related to data leakage.

Top Data Recipients: List of external users or domains receiving sensitive files.

File Access Trends: Line graph showing trends in file access (internal vs. external).

Recent Permission Changes: Table showing recent changes to file permissions on sensitive documents.
Third-Party OAuth Apps Report New OAuth Apps Approved: List of newly approved OAuth apps. Identifies third-party applications accessing Gmail and Google Drive and flags apps that may pose security risks.

OAuth Apps with High Permissions: Table listing third-party apps with elevated access (e.g., full mailbox or Drive access).

OAuth App Usage Trends: Line graph of OAuth app usage (authorized sessions over time).

OAuth Access Risk Levels: Categorization of OAuth apps by risk level (low, medium, high).
Email Rule and Filter Changes Report New Rule Changes: List of recently created or modified email filtering rules. Tracks changes to email rules, which can indicate an insider threat or unauthorized access by malicious actors altering email settings.

Top Users with Rule Changes: A ranking of users who frequently modify email rules.

Forwarding Rules to External Domains: Tabular list of forwarding rules directing emails to external addresses.

Rule Modification Trends: Line graph showing trends in email rule modifications over time.