Google Workspace Suspended User Account Renewed

Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/17"
  3integration = ["google_workspace"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended
 11user account to maintain access to the Google Workspace organization with a valid account.
 12"""
 13false_positives = [
 14    """
 15    Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at
 16    the organization after temporary leave. Suspended user accounts are typically used by administrators to remove
 17    access to the user while actions is taken to transfer important documents and roles to other users, prior to
 18    deleting the user account and removing the license.
 19    """,
 20]
 21from = "now-130m"
 22index = ["filebeat-*", "logs-google_workspace*"]
 23interval = "10m"
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Google Workspace Suspended User Account Renewed"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Google Workspace Suspended User Account Renewed
 33
 34Google Workspace manages user identities and access, crucial for organizational security. Adversaries may exploit the renewal of suspended accounts to regain unauthorized access, bypassing security measures. The detection rule identifies such events by monitoring specific administrative actions, helping analysts spot potential misuse and maintain secure access controls.
 35
 36### Possible investigation steps
 37
 38- Review the event logs for the specific action `UNSUSPEND_USER` to identify the user account that was renewed and gather details about the timing and context of the action.
 39- Check the identity of the administrator or service account that performed the `UNSUSPEND_USER` action to determine if the action was authorized or if there are signs of account compromise.
 40- Investigate the history of the suspended user account to understand why it was initially suspended and assess any potential risks associated with its renewal.
 41- Examine recent activity logs for the renewed user account to identify any suspicious behavior or unauthorized access attempts following the account's reactivation.
 42- Cross-reference the event with other security alerts or incidents to determine if the renewal is part of a broader pattern of suspicious activity within the organization.
 43
 44### False positive analysis
 45
 46- Routine administrative actions may trigger the rule when IT staff unsuspend accounts for legitimate reasons, such as resolving a temporary issue. To manage this, create exceptions for known IT personnel or specific administrative actions that are part of regular account maintenance.
 47- Automated processes or scripts that unsuspend accounts as part of a workflow can also lead to false positives. Identify and document these processes, then exclude them from triggering alerts by using specific identifiers or tags associated with the automation.
 48- User accounts that are temporarily suspended due to policy violations or inactivity and later reinstated can cause false positives. Implement a review process to verify the legitimacy of these reinstatements and adjust the rule to exclude such cases when they are part of a documented policy.
 49
 50### Response and remediation
 51
 52- Immediately review the user account activity logs to determine if any unauthorized actions were taken after the account was unsuspended. Focus on sensitive data access and changes to security settings.
 53- Temporarily suspend the user account again to prevent further unauthorized access while the investigation is ongoing.
 54- Notify the security team and relevant stakeholders about the potential security incident to ensure coordinated response efforts.
 55- Conduct a thorough review of the account's permissions and access levels to ensure they align with the user's current role and responsibilities. Adjust as necessary to follow the principle of least privilege.
 56- If malicious activity is confirmed, initiate a password reset for the affected account and any other accounts that may have been compromised.
 57- Implement additional monitoring on the affected account and similar accounts to detect any further suspicious activity.
 58- Review and update security policies and procedures related to account suspension and reactivation to prevent similar incidents in the future.
 59
 60## Setup
 61
 62The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 63
 64### Important Information Regarding Google Workspace Event Lag Times
 65- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 66- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 67- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
 68- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 69- See the following references for further information:
 70  - https://support.google.com/a/answer/7061566
 71  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 72references = [
 73    "https://support.google.com/a/answer/1110339",
 74    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
 75    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
 76]
 77risk_score = 21
 78rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc"
 79severity = "low"
 80tags = [
 81    "Domain: Cloud",
 82    "Data Source: Google Workspace",
 83    "Use Case: Identity and Access Audit",
 84    "Tactic: Initial Access",
 85    "Resources: Investigation Guide",
 86]
 87timestamp_override = "event.ingested"
 88type = "query"
 89
 90query = '''
 91event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1078"
 99name = "Valid Accounts"
100reference = "https://attack.mitre.org/techniques/T1078/"
101[[rule.threat.technique.subtechnique]]
102id = "T1078.004"
103name = "Cloud Accounts"
104reference = "https://attack.mitre.org/techniques/T1078/004/"
105
106
107
108[rule.threat.tactic]
109id = "TA0001"
110name = "Initial Access"
111reference = "https://attack.mitre.org/tactics/TA0001/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Google Workspace manages user identities and access, crucial for organizational security. Adversaries may exploit the renewal of suspended accounts to regain unauthorized access, bypassing security measures. The detection rule identifies such events by monitoring specific administrative actions, helping analysts spot potential misuse and maintain secure access controls.

  • Review the event logs for the specific action UNSUSPEND_USER to identify the user account that was renewed and gather details about the timing and context of the action.
  • Check the identity of the administrator or service account that performed the UNSUSPEND_USER action to determine if the action was authorized or if there are signs of account compromise.
  • Investigate the history of the suspended user account to understand why it was initially suspended and assess any potential risks associated with its renewal.
  • Examine recent activity logs for the renewed user account to identify any suspicious behavior or unauthorized access attempts following the account's reactivation.
  • Cross-reference the event with other security alerts or incidents to determine if the renewal is part of a broader pattern of suspicious activity within the organization.
  • Routine administrative actions may trigger the rule when IT staff unsuspend accounts for legitimate reasons, such as resolving a temporary issue. To manage this, create exceptions for known IT personnel or specific administrative actions that are part of regular account maintenance.
  • Automated processes or scripts that unsuspend accounts as part of a workflow can also lead to false positives. Identify and document these processes, then exclude them from triggering alerts by using specific identifiers or tags associated with the automation.
  • User accounts that are temporarily suspended due to policy violations or inactivity and later reinstated can cause false positives. Implement a review process to verify the legitimacy of these reinstatements and adjust the rule to exclude such cases when they are part of a documented policy.
  • Immediately review the user account activity logs to determine if any unauthorized actions were taken after the account was unsuspended. Focus on sensitive data access and changes to security settings.
  • Temporarily suspend the user account again to prevent further unauthorized access while the investigation is ongoing.
  • Notify the security team and relevant stakeholders about the potential security incident to ensure coordinated response efforts.
  • Conduct a thorough review of the account's permissions and access levels to ensure they align with the user's current role and responsibilities. Adjust as necessary to follow the principle of least privilege.
  • If malicious activity is confirmed, initiate a password reset for the affected account and any other accounts that may have been compromised.
  • Implement additional monitoring on the affected account and similar accounts to detect any further suspicious activity.
  • Review and update security policies and procedures related to account suspension and reactivation to prevent similar incidents in the future.

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

  • As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
  • This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
  • To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
  • By default, var.interval is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
  • See the following references for further information:

References

Related rules

to-top