This document offers informal guidance on how you can respond to findings of suspicious activities in your Google Workspace resources. The recommended steps might not be appropriate for all findings and might impact your operations. Before you take any action, you should investigate the findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current, or future threats that you face. To understand why Security Command Center does not provide official remediation guidance for threats, see Remediating threats.
Before you begin
- Review the finding.
- To learn more about the finding that you're investigating, search for the finding in the Threat findings index.
Findings for Google Workspace are only available for organization-level activations of Security Command Center. Google Workspace logs can't be scanned for project-level activations.
General recommendations
If you're a Google Workspace administrator, you can use the service's security tools to resolve these threats:
The tools include alerts, a security dashboard, and security recommendations. These tools can help you investigate and respond to Google Workspace threats.
If you're not a Google Workspace administrator, do the following:
- Instruct the affected user to change or reset their password and turn on 2-Step Verification.
- Contact your Google Workspace administrator or the team in your company that manages your Google Workspace account. Use these findings as an indication that an account might be compromised.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.