Testing Google Workspace detections

Overview

After you have completed the Integrating with Google Workspace procedure, you can use the tests below to trigger Blumira's detections for certain Google Workspace activity.

Google Workspace: Domain Data Export Initiated

These events can be a part of a normal business operation to migrate to another Workspace tenant or cloud service like Microsoft 365. It has been seen leveraged by Threat Actors in attempts to exfiltrate data from Workspace.

Reference: How to download your Google data

To test the “Google Workspace: Domain Data Export Initiated” detection, do the following:

1. Go to the Google Takeout page. 

2. Under the “Select data to include” section, review the default-selected products, which are all the Google products that you utilize and that hold your data. 

3. (Optional) If you do not want to download data from specific products, de-select the checkbox next to each.
   

4. Click Next step.

5. Under the “File type, frequency & destination” section, select where you want to transfer the data to and then click Create export.
   

6. In Blumira, navigate to Reporting > Findings, and look for a newly created finding for this activity.

Google Workspace: Custom Admin Role Created

Administrator roles can be created for legitimate reasons, as organizations may prefer the ability to limit the scopes of certain default roles or avoid their use entirely. They can also be leveraged by threat actors to maintain persistence in an environment and attempt to avoid detection.

Reference: Create, edit, and delete custom admin roles

To test the “Google Workspace: Custom Admin Role Created” detection, do the following:

1. In the Admin console, go to Menu > Account > Admin Roles.

2. Click Create new role.

3. Under Role info, type a name and optional description for the role and click Continue.
   

4. From the Privilege Name list, check boxes to select each privilege you want users with this role to have, look for Support.

5. Click Continue.

6. Review the privileges and click Create Role.

   

7. In Blumira, navigate to Reporting > Findings, and look for a newly created finding for this activity.

Google Workspace: Email Forwarding to External Address

Many times compromised accounts will create inbox rules to lengthen the amount of time before the compromise is detected. These rules sometimes remove email from sent folders or delete all incoming messages to the victim's mailbox. Even if this change was intentional by the user, it may be considered a violation of policy by some organizations and should be investigated to verify no sensitive data is being forwarded to unmanaged external accounts.

Reference: Automatically forward Gmail messages to another account

To test the “Google Workspace: Email Forwarding to External Address” detection, do the following: 

1. In the top right, click Settings and then click See all settings. 

2. Click the Forwarding and POP/IMAP tab.

3. In the "Forwarding" section, click Add a forwarding address.
   

4. Enter the external email address you want to forward messages to and then click Next.
   
   Note: Using an address that is internal to your organization will not trigger the detection.

5. A verification message will be sent to that address. Verify the email message.

6. Refresh the Forwarding and POP/IMAP tab under Settings.

7. In the "Forwarding" section, select Forward a copy of incoming mail to.

8. In the "POP download" section, select keep Gmail's copy in the Inbox.
   

9. At the bottom of the page, click Save Changes.

10. In Blumira, navigate to Reporting > Findings, and look for a newly created finding for this activity.