Skip to main content

Hi,

We are receiving data from both Google Workspace Activity and Google Workspace Alerts, specifically phishing alerts. The alerts from Google Workspace Activity arrive first, while the corresponding alerts from Google Workspace Alerts typically follow after two hours. We have created a rule for this and set the match condition to receiver over 2 hours. However, we would like to reduce the time between the activity and the alert—ideally to one hour. If this is possible, how can we achieve it?

Furthermore, when we receive the alerts in SOAR under Cases > Alerts > Event > Highlighted Fields, we do not see much information about the phishing email. Important fields such as URL, DMARC, message body, SPF, and DKIM are missing.

How and where can we adjust the configuration to ensure that all this information is included in the highlighted details of the event?

The two hours is largely due to the inherent processing time within Google Workspace for generating and publishing security alerts, particularly for email-related threats. Try to engage with Google Workspace support  to express the need for lower latency on these critical security alerts.



Regarding the missing details in SOAR alerts such as specific URLs from the email body, or DMARC, SPF, and DKIM authentication results, you can via Gmail API and using API http integration to pull these data based on the message ID and update your case accordingly.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.