Google Meet/Chat

Google Meet / Chat - Secure video meetings as part of Google Workspace.

Provider: Google Meet/Chat

Detection Rule MITRE Tactic MITRE Technique Criticality
Unusual Meeting Patterns Initial Access T1078 - Valid Accounts High
Investigation Actions (APIs) Use Google Meet API to retrieve meeting details and participant lists.
Incident Creation Criteria Trigger if meetings are scheduled outside of business hours and have external participants.
Excessive Meeting Creation Persistence T1098 - Account Manipulation Medium
Investigation Actions (APIs) Retrieve user activity logs via Google Workspace API.
Incident Creation Criteria Trigger if a single user creates more than 10 meetings in a short period.
Large Meeting with External Participants Collection T1114 - Email Collection High
Investigation Actions (APIs) Retrieve participant lists via Google Meet API.
Incident Creation Criteria Trigger if the number of external participants exceeds a predefined threshold (e.g., 10).
File Sharing to External Domains (Chat) Exfiltration T1567 - Exfiltration Over Web Critical
Investigation Actions (APIs) Use Google Chat API to trace file sharing events.
Incident Creation Criteria Trigger if sensitive files are shared with external domains.
Creation of High-Volume Private Chats Defense Evasion T1071 - Application Layer Protocol Medium
Investigation Actions (APIs) Use Google Chat API to retrieve chat room creation logs and message history.
Incident Creation Criteria Trigger if a user creates more than 20 private chats in a day.
Keyword Detection in Chat Exfiltration T1037 - Network Service Scanning High
Investigation Actions (APIs) Retrieve message logs and perform keyword search (e.g., "password", "confidential").
Incident Creation Criteria Trigger on keywords related to sensitive information (e.g., "password," "SSN").
External File Shares (Meet/Chat) Exfiltration T1071 - Application Layer Protocol Critical
Investigation Actions (APIs) Use Google Meet API and Google Chat API to analyze file sharing details.
Incident Creation Criteria Trigger if files are shared with external domains during or after a meeting.
Extended Meeting Duration Persistence T1078 - Valid Accounts Low
Investigation Actions (APIs) Use Google Meet API to track meeting duration and anomalies.
Incident Creation Criteria Trigger if meeting duration exceeds the organization's baseline, especially for after-hours meetings.
Suspicious High-Volume Meeting Participation Reconnaissance T1598 - Phishing for Information High
Investigation Actions (APIs) Retrieve participant details and meeting logs from Google Meet API.
Incident Creation Criteria Trigger if a user joins an unusual number of meetings with external participants within a short time frame.
New Chat Room with External Participants Persistence T1071 - Application Layer Protocol Medium
Investigation Actions (APIs) Use Google Chat API to analyze newly created rooms and external participants.
Incident Creation Criteria Trigger if a chat room is created with external participants from outside the organization.

APIs and Their Scopes

Detection Rule Required API API Scopes
Unusual Meeting Patterns Google Meet API, Admin SDK (Reports) https://www.googleapis.com/auth/admin.reports.audit.readonly
Excessive Meeting Creation Admin SDK (Reports) https://www.googleapis.com/auth/admin.reports.audit.readonly
Large Meeting with External Participants Google Meet API, Admin SDK (Reports) https://www.googleapis.com/auth/admin.reports.audit.readonly
File Sharing to External Domains (Chat) Google Chat API https://www.googleapis.com/auth/chat.messages.readonly
Creation of High-Volume Private Chats Google Chat API https://www.googleapis.com/auth/chat.spaces
Keyword Detection in Chat Google Chat API https://www.googleapis.com/auth/chat.messages.readonly
External File Shares (Meet/Chat) Google Meet API, Google Chat API https://www.googleapis.com/auth/admin.reports.audit.readonly for Meet
https://www.googleapis.com/auth/chat.messages.readonly for Chat
Extended Meeting Duration Google Meet API, Admin SDK (Reports) https://www.googleapis.com/auth/admin.reports.audit.readonly
Suspicious High-Volume Meeting Participation Google Meet API, Admin SDK (Reports) https://www.googleapis.com/auth/admin.reports.audit.readonly
New Chat Room with External Participants Google Chat API https://www.googleapis.com/auth/chat.spaces

Reports and Widgets for CISO

Report Name Widgets Description
Suspicious Login Activity Report Unusual Meeting Times & Participants Visualize meetings scheduled outside business hours and with external participants.
File Sharing to External Domains External File Sharing by User/Domain Breakdown of file shares from Google Meet/Chat to external domains.
Meeting Duration Anomalies Extended Meeting Durations Track meetings exceeding typical duration, especially outside working hours.
Top 10 Most Active Users (Meet) User Activity in Google Meet Show top 10 users by number of meetings created or participated in.
External Participation in Meetings External Users in Meetings List of external participants by meeting, along with associated departments or hosts.
Keyword Monitoring in Google Chat Sensitive Keyword Alerts (Chat) Detect and visualize keyword usage related to sensitive data in Google Chat conversations.
High-Volume Private Chats Report High-Volume Private Chats by User Visualize users creating a high number of private chats in a short time frame.
Sensitive Data Exposure (Chat) Chat Message Exposure by External Domains Identify sensitive or excessive chat communication with external domains.
Executive Meeting Risk Report Executive Participation in Risky Meetings Show instances of executive team participation in flagged or risky meetings.
Compliance Report Google Workspace Compliance Overview Summary report focused on adherence to organizational policies and security standards in Meet/Chat.