Back to Integrations
Google Workspace
Active IntegrationCloud Productivity

Google Workspace

Introduced in BitLyft AIR® v1.24, the Google Workspace integration brings comprehensive detection coverage and automated phishing response to Google-native environments.

12+

Detection Policies

1

Prebuilt Playbook

v1.24

Available Since

Comprehensive Coverage Across Google Workspace

The v1.24 Google Workspace integration adds out-of-the-box detection coverage across administrative activity, application access, Drive behavior, and authentication events — surfacing high-risk activity such as privilege changes, OAuth grants, data exfiltration patterns, and suspicious login behavior.

Combined with an automated phishing containment playbook, AIR® can now respond to threats in Google environments with the same speed and consistency as Microsoft 365 environments.

Detection Policy Categories

Administrative Activity

  • Privilege escalation and admin role changes
  • Security policy modifications
  • Abnormal admin actions and potential impersonation

Application Access

  • OAuth application grants and API access
  • Third-party app connections to Workspace data
  • Suspicious application permission changes

Drive Behavior

  • Abnormal file sharing and external access grants
  • Large-scale downloads and data exfiltration patterns
  • Sensitive file exposure events

Authentication Events

  • Suspicious login activity and impossible travel
  • Failed authentication spikes
  • Account compromise indicators

Google Workspace Phishing Containment Playbook

This SOC-ready automation playbook orchestrates a complete phishing response workflow in Google Workspace, reducing dwell time and standardizing response across affected accounts — activated automatically when a phishing indicator is detected.

1

Quarantine Emails

Remove malicious messages from all affected inboxes org-wide.

2

Remove Forwarding Rules

Detect and delete attacker-planted forwarding configurations that exfiltrate email.

3

Reset Credentials

Force password reset and session revocation for compromised accounts.

Enterprise SSO with Google

v1.24 also introduced SSO connection management supporting Google as an identity provider. Users authenticating via Google SSO are automatically provisioned in AIR® with the configured role — no manual setup required.

See the full release notes

Google Workspace detection and the phishing containment playbook shipped in BitLyft AIR® v1.24.

Read the v1.24 release post

Protect your Google Workspace environment automatically.

See how AIR® detects threats and triggers automated phishing response across Google Workspace in real time.

Schedule a Demo