Google Workspace Administrator (GCX)

Virtualization, Google

This course delivers a structured overview of administering and securing Google Workspace, focusing on configuring security policies, using the Admin Console and applying Audit logs with the Investigation Tool for forensic analysis of Gmail, Drive and login activity.

It covers practical prevention and response: enforcing MFA/2SV, DLP rules for Gmail and Drive, configuring SPF/DKIM/DMARC and Context-Aware Access, integrating with SIEMs and automating tasks via Admin SDK, APIs and GAM for incident reporting and audits.

Location, current course term

Contact us

Custom Customized Training (date, location, content, duration)

The course:

Hide detail
  • Introduction to Google Workspace and SaaS security
    1. Shared Responsibility Model — responsibilities of Google vs. the customer
    2. Roles and org structure (Org Units, Groups, Access Groups)
    3. Licenses and editions (Business / Enterprise) and security implications
    4. Typical threats (phishing, public links, auto-forwarding, OAuth)
  • Admin Console and Audit logs
    1. Key Admin Console areas (Alert Center, Security Rules)
    2. Working with Email Log Search, Drive Audit, Login Activity
    3. Investigation Tool (Enterprise) — building queries and exporting results
    4. Exporting logs (CSV, Reports API, BigQuery) and offline analysis
  • Forensic analysis — practical case study
    1. Data exfiltration and email forwarding incidents
    2. Downloading and analysing logs (Drive, Email, Login)
    3. Creating an attack timeline — attacker steps and stolen files
    4. Remediation steps (password resets, MFA, removing forwards)
    5. Structuring reports and communicating with management
  • Security policies and data loss prevention
    1. MFA / 2SV and SSO integration (Azure AD, Okta)
    2. DLP rules for Gmail and Drive
    3. Sharing settings (internal, public, domain allow/block lists)
    4. SPF / DKIM / DMARC and anti‑phishing policies
    5. Context-Aware Access — restrict by IP, device, geolocation
    6. Alerting (webhooks, email, Chat notifications)
  • Automation and integration
    1. Admin SDK, Reports API, Directory API
    2. GAMADV‑XTD3 — exporting logs, auditing sharing, changing forwards
    3. Apps Script / Cloud Functions for scheduled audits
    4. SIEM integration (Chronicle, Splunk, ELK)
    5. Connecting to ticketing systems (Jira, ServiceNow)
  • Best practices and security checklist
    1. Incident Response Playbook (detect → contain → recover)
    2. Communication plan and documentation (reports, logs, chain of custody)
    3. Tabletop exercises, sharing audits, phishing tests
    4. Quick admin checklist (daily / weekly / monthly controls)
  • Bonus (if time allows)
    1. Compliance (GDPR, ISO 27001, SOC 2)
    2. Auditing OAuth apps and restricting app access
    3. Chronicle SIEM mini-lab — ingesting logs and creating detections
Assumed knowledge:
Basic Google Workspace user knowledge; admin experience with SaaS is a plus.
Schedule:
2 days (9:00 AM - 5:00 PM )
Language: