Stay organized with collectionsSave and categorize content based on your preferences.
This document offers informal guidance on how you can respond to findings of suspicious
activities in your Google Workspace resources. The recommended steps might not be appropriate for all
findings and might impact your operations. Before you take any action, you should investigate the
findings; assess the information that you gather; and decide how to respond.
The techniques in this document aren't guaranteed to be effective against any previous, current,
or future threats that you face. To understand why Security Command Center does not provide official
remediation guidance for threats, seeRemediating threats.
To learn more about the finding that you're investigating, search for the
finding in theThreat findings
index.
Findings for Google Workspace are only available for organization-level
activations of Security Command Center. Google Workspace logs can't be
scanned for project-level activations.
General recommendations
If you're a Google Workspace administrator, you can use the service's
security tools to resolve these threats:
The tools include alerts, a security dashboard, and security recommendations.
These tools can help you investigate and respond to Google Workspace
threats.
If you're not a Google Workspace administrator, do the following:
Contact your Google Workspace
administratoror the team
in your company that manages your Google Workspace account. Use these
findings as an indication that an account might be compromised.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document offers informal guidance on how you can respond to findings of suspicious\nactivities in your Google Workspace resources. The recommended steps might not be appropriate for all\nfindings and might impact your operations. Before you take any action, you should investigate the\nfindings; assess the information that you gather; and decide how to respond.\n\nThe techniques in this document aren't guaranteed to be effective against any previous, current,\nor future threats that you face. To understand why Security Command Center does not provide official\nremediation guidance for threats, see [Remediating threats](/security-command-center/docs/how-to-investigate-threats#remediating_threats).\n\nBefore you begin\n\n1. [Review the\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n2. To learn more about the finding that you're investigating, search for the finding in the [Threat findings\n index](/security-command-center/docs/threat-findings-index).\n\nFindings for Google Workspace are only available for organization-level\nactivations of Security Command Center. Google Workspace logs can't be\nscanned for project-level activations.\n\nGeneral recommendations\n\nIf you're a Google Workspace administrator, you can use the service's\nsecurity tools to resolve these threats:\n\n- [Google Workspace Alert Center](https://workspace.google.com/products/admin/alert-center/)\n- [Google Workspace Security Center](https://workspace.google.com/products/admin/security-center/)\n\nThe tools include alerts, a security dashboard, and security recommendations.\nThese tools can help you investigate and respond to Google Workspace\nthreats.\n\nIf you're not a Google Workspace administrator, do the following:\n\n- Instruct the affected user to [change or reset their\n password](https://support.google.com/accounts/answer/41078) and [turn on\n 2-Step Verification](https://support.google.com/accounts/answer/185839).\n- [Contact your Google Workspace\n administrator](https://support.google.com/accounts/answer/6208960) or the team in your company that manages your Google Workspace account. Use these findings as an indication that an account might be compromised.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
