Tag
Google Workspace User Organizational Unit Changed
2 rules 2 TTPsDetects when a Google Workspace user's organizational unit is changed, potentially indicating an adversary attempting to inherit permissions and gain unauthorized access to resources and applications.
Google Workspace Suspended User Account Renewed
2 rules 2 TTPsDetection of a renewed suspended user account in Google Workspace, potentially indicating an adversary regaining access to the organization.
External User Added to Google Workspace Group
2 rules 2 TTPsDetects an external Google Workspace user account being added to an existing group, potentially allowing adversaries to intercept shared files or emails.
Google Workspace Drive Data Transfer or Takeout Export Initiated
2 rules 2 TTPsThis rule detects when Google Workspace administrators initiate bulk movement or export of user Drive data, including admin data transfer requests and Customer Takeout export jobs which can be abused by adversaries with administrative access to stage or exfiltrate sensitive files.
Google Workspace Device Registration Burst for Single User
1 rule 3 TTPsDetects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.
Google Workspace User Sign-in from Atypical Device Type
2 rules 2 TTPsThis rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.
Google Workspace Application Removed from Blocklist
2 rules 2 TTPsAn adversary with Google Workspace administrative privileges may remove an application from the explicit blocklist to enable its distribution and usage, potentially indicating unauthorized activity and defense evasion.
Google Workspace BitLocker Setting Disabled
2 rules 2 TTPsDetection of Google Workspace administrators disabling the BitLocker setting, potentially allowing adversaries with valid account access to decrypt sensitive data on managed Windows devices.
External User Added to Google Workspace Group
2 rules 2 TTPsDetection of an external Google Workspace user account being added to an existing group, potentially indicating an adversary attempting to intercept shared files or emails by adding accounts where the domain name of the target doesn't match the Google Workspace domain.
GSuite Suspicious File Share with Phishing Filenames
2 rules 1 TTPThis analytic detects suspicious file sharing activity in Google Workspace where files are shared with names commonly associated with phishing campaigns, such as 'invoice,' 'shipment,' or 'delivery', potentially leading to credential theft or malware infection.
Google Workspace Suspended User Account Renewed
2 rules 3 TTPsDetection of a renewed, previously suspended user account in Google Workspace, potentially indicating unauthorized access or persistence by an adversary.
Google Workspace Marketplace Restrictions Modified to Allow Any App
2 rules 2 TTPsAn adversary may modify Google Workspace Marketplace restrictions to allow installation of any application, potentially enabling the deployment of malicious APKs to end users within the Google Workspace environment, bypassing security restrictions.