Metrics Library

Title: Enhance Google Workspace Inspector to Capture User Mailbox Filters (Detect Hidden Forwarding Rules) One-Sentence Summary: Expand the Google Workspace Inspector to pull data from the Gmail API's users.settings.filters endpoint, enabling partners to detect malicious forwarding rules and unauthorized data exfiltration. The "Why" (Partner Use Case): Bad actors are increasingly using hidden mailbox filters to maintain persistence in a compromised tenant. By setting up rules to automatically forward emails to an external address (or delete notifications), they can exfiltrate sensitive data or hide their tracks without the user ever knowing. Currently, auditing these filters requires manually logging into user accounts or running custom scripts per tenant. Partners need an automated, scalable way to: Audit all user filters across an entire Google Workspace environment. Create Actionable Alerts for high-risk filter criteria (e.g., "Action: Forward" OR "Action: Delete"). Detect Persistence: Identify rules created by attackers to hide their activity (e.g., automatically trashing security alerts from Microsoft or Google). This addition would significantly enhance the security posture of our partners' managed environments and provide a critical layer of defense against Business Email Compromise (BEC). Technical Details & API Reference: This data is available via the Gmail API. We recommend adding a new Data View to the Google Workspace Inspector that captures the output of the users.settings.filters.list method. API Resource: users.settings.filters Method: list Google Documentation: https://developers.google.com/gmail/api/reference/rest/v1/users.settings.filters/list Required Scope: https://www.googleapis.com/auth/gmail.settings.basic (Read-only access to settings) Proposed Data to Capture: For each filter, we should capture: ID: Unique filter ID. Criteria: The trigger conditions (e.g., from, to, subject, query). Action: The automated response (e.g., addLabelIds, removeLabelIds, forward). Crucial: specifically looking for the forward property. Example "Work Smarter" Win for Partners: Instead of a reactive fire drill after a breach, a partner could have a Liongard Alert: "Critical: Email Forwarding Rule Detected on Executive Mailbox." This allows them to investigate and remediate before significant data loss occurs.

Category: Google Workspace ManagementDescription:This metric pulls a clear list of all Google Workspace groups and their members, helping you stay on top of who has access to what and ensuring your team stays organized.Purpose:This metric is your go-to for tracking group memberships in Google Workspace. Whether you're checking if someone was accidentally removed, troubleshooting access issues, or preparing for an audit, it gives you the visibility you need. It’s also handy for monitoring changes to high-priority groups over time.How it Works:The metric uses JMESPath to grab a snapshot of all groups and their members from Liongard's Google Workspace inspector. It organizes this data into a readable list with group names and their member lists. Plus, you can enhance it by setting up alerts for changes to specific groups, making it easy to spot unexpected removals or additions.Use Cases:Restore Confidence in Troubleshooting: If a user suddenly loses access to something critical, use the historical reports in Liongard to confirm their previous group memberships and figure out when and why they were removed.Monitor Key Groups: Keep an eye on high-priority groups, like Admins or HR, and get alerts if someone adds or removes members.Audits Made Simple: Quickly generate a clean report of group memberships for periodic compliance checks or access reviews.Onboarding and Offboarding: Ensure users are added or removed from the right groups as part of onboarding or offboarding processes.Beneficiaries:IT Teams: Save time troubleshooting access issues and managing group memberships.Security Teams: Ensure groups are configured properly to minimize risk.Compliance Officers: Use reports to confirm access controls during audits.Notes for Adjustments:Change Detection: Enable change detection on the Admin>Metrics page to flag modifications in key groups over time. This makes it easy to spot unauthorized changes.Reporting: Schedule reports to compare snapshots daily and highlight any new or removed members.Custom Filters: Refine the output to focus on specific groups, such as those with admin-level permissions, by adding filters like Groups[?contains(name, 'Admin')].Historical Data: Use Liongard’s historical reporting to see group membership as it was at any point in time, ideal for resolving past incidents or meeting compliance requirements.By tailoring this metric to your needs, you’ll have even more control and insight into your Google Workspace groups and their memberships. Groups[].[['Name:'name],['Members:'MembersList_r],['-']][]

If you need to find out which users have a particular license, this feature will help you generate a list of those users. Users[?assignedLicenses_m && assignedLicensesStr_m == Google Workspace Enterprise Plus ].[ Name : name.fullName, | Assigned Licenses : assignedLicensesStr_m] Users[?assignedLicenses_m && assignedLicensesStr_m == Google Workspace Enterprise Standard ].[ Name : name.fullName, | Assigned Licenses : assignedLicensesStr_m] Users[?assignedLicenses_m && assignedLicensesStr_m == Google Workspace Business Plus ].[ Name : name.fullName, | Assigned Licenses : assignedLicensesStr_m]

A simply metric returning the number of users. A useful metric when reconciling services in the Gradient MSP billing module. Users[] | length(@)

Google Workspace has the following Product SKUs and you can simply replace the skuName in the query to return different product licenses.Google Workspace SKUs:Business StarterBusiness StandardBusiness PlusEnterprise StandardEnterprise PlusEnterprise EssentialsEnterprise Archived UserGoogle Drive StorageGoogle Vault Licenses[?skuName == Google Workspace Business Standard ].skuName | length(@)

Metric to show licensed Google Workspace users that have not logged in within 90 days. Users[?time_since(lastLoginTime, days )> 90 ].[primaryEmail time_since(lastLoginTime, days )]

License overview for Google Workspace Child Inspectors Users[?assignedLicenses_m].[ Email | primaryEmail, Assigned Licenses | assignedLicensesStr_m]

Count of Business Starter Licenses for Google Workspace Child Inspectors - Can clone metric and replace the skuName for other licensed products Licenses[?skuName == Google Workspace Business Starter ] | length(@)

This metric supports the RoarExclude group filter. The RoarExclude group filter will prevent alerts from triggering for users who are part of the RoarExclude group. To utilize this feature, you will need to create a Group named “RoarExclude” in the Google Workspace environment. Users[?suspended == false && archived == false && DaysSinceLastLogin_r > 30 && (!contains(Groups_r , RoarExclude ))].name.fullName