Google Workspace Suspended User Account Renewed
Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["google_workspace"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended
11user account to maintain access to the Google Workspace organization with a valid account.
12"""
13false_positives = [
14 """
15 Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at
16 the organization after temporary leave. Suspended user accounts are typically used by administrators to remove
17 access to the user while actions is taken to transfer important documents and roles to other users, prior to
18 deleting the user account and removing the license.
19 """,
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "Google Workspace Suspended User Account Renewed"
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating Google Workspace Suspended User Account Renewed
33
34Google Workspace manages user identities and access, crucial for organizational security. Adversaries may exploit the renewal of suspended accounts to regain unauthorized access, bypassing security measures. The detection rule identifies such events by monitoring specific administrative actions, helping analysts spot potential misuse and maintain secure access controls.
35
36### Possible investigation steps
37
38- Review the event logs for the specific action `UNSUSPEND_USER` to identify the user account that was renewed and gather details about the timing and context of the action.
39- Check the identity of the administrator or service account that performed the `UNSUSPEND_USER` action to determine if the action was authorized or if there are signs of account compromise.
40- Investigate the history of the suspended user account to understand why it was initially suspended and assess any potential risks associated with its renewal.
41- Examine recent activity logs for the renewed user account to identify any suspicious behavior or unauthorized access attempts following the account's reactivation.
42- Cross-reference the event with other security alerts or incidents to determine if the renewal is part of a broader pattern of suspicious activity within the organization.
43
44### False positive analysis
45
46- Routine administrative actions may trigger the rule when IT staff unsuspend accounts for legitimate reasons, such as resolving a temporary issue. To manage this, create exceptions for known IT personnel or specific administrative actions that are part of regular account maintenance.
47- Automated processes or scripts that unsuspend accounts as part of a workflow can also lead to false positives. Identify and document these processes, then exclude them from triggering alerts by using specific identifiers or tags associated with the automation.
48- User accounts that are temporarily suspended due to policy violations or inactivity and later reinstated can cause false positives. Implement a review process to verify the legitimacy of these reinstatements and adjust the rule to exclude such cases when they are part of a documented policy.
49
50### Response and remediation
51
52- Immediately review the user account activity logs to determine if any unauthorized actions were taken after the account was unsuspended. Focus on sensitive data access and changes to security settings.
53- Temporarily suspend the user account again to prevent further unauthorized access while the investigation is ongoing.
54- Notify the security team and relevant stakeholders about the potential security incident to ensure coordinated response efforts.
55- Conduct a thorough review of the account's permissions and access levels to ensure they align with the user's current role and responsibilities. Adjust as necessary to follow the principle of least privilege.
56- If malicious activity is confirmed, initiate a password reset for the affected account and any other accounts that may have been compromised.
57- Implement additional monitoring on the affected account and similar accounts to detect any further suspicious activity.
58- Review and update security policies and procedures related to account suspension and reactivation to prevent similar incidents in the future.
59
60## Setup
61
62The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
63
64### Important Information Regarding Google Workspace Event Lag Times
65- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
66- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
67- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
68- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
69- See the following references for further information:
70 - https://support.google.com/a/answer/7061566
71 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
72references = [
73 "https://support.google.com/a/answer/1110339",
74 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
75 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
76]
77risk_score = 21
78rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc"
79severity = "low"
80tags = [
81 "Domain: Cloud",
82 "Data Source: Google Workspace",
83 "Use Case: Identity and Access Audit",
84 "Tactic: Initial Access",
85 "Resources: Investigation Guide",
86]
87timestamp_override = "event.ingested"
88type = "query"
89
90query = '''
91event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER
92'''
93
94
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97[[rule.threat.technique]]
98id = "T1078"
99name = "Valid Accounts"
100reference = "https://attack.mitre.org/techniques/T1078/"
101[[rule.threat.technique.subtechnique]]
102id = "T1078.004"
103name = "Cloud Accounts"
104reference = "https://attack.mitre.org/techniques/T1078/004/"
105
106
107
108[rule.threat.tactic]
109id = "TA0001"
110name = "Initial Access"
111reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Google Workspace Suspended User Account Renewed
Google Workspace manages user identities and access, crucial for organizational security. Adversaries may exploit the renewal of suspended accounts to regain unauthorized access, bypassing security measures. The detection rule identifies such events by monitoring specific administrative actions, helping analysts spot potential misuse and maintain secure access controls.
Possible investigation steps
- Review the event logs for the specific action
UNSUSPEND_USER
to identify the user account that was renewed and gather details about the timing and context of the action. - Check the identity of the administrator or service account that performed the
UNSUSPEND_USER
action to determine if the action was authorized or if there are signs of account compromise. - Investigate the history of the suspended user account to understand why it was initially suspended and assess any potential risks associated with its renewal.
- Examine recent activity logs for the renewed user account to identify any suspicious behavior or unauthorized access attempts following the account's reactivation.
- Cross-reference the event with other security alerts or incidents to determine if the renewal is part of a broader pattern of suspicious activity within the organization.
False positive analysis
- Routine administrative actions may trigger the rule when IT staff unsuspend accounts for legitimate reasons, such as resolving a temporary issue. To manage this, create exceptions for known IT personnel or specific administrative actions that are part of regular account maintenance.
- Automated processes or scripts that unsuspend accounts as part of a workflow can also lead to false positives. Identify and document these processes, then exclude them from triggering alerts by using specific identifiers or tags associated with the automation.
- User accounts that are temporarily suspended due to policy violations or inactivity and later reinstated can cause false positives. Implement a review process to verify the legitimacy of these reinstatements and adjust the rule to exclude such cases when they are part of a documented policy.
Response and remediation
- Immediately review the user account activity logs to determine if any unauthorized actions were taken after the account was unsuspended. Focus on sensitive data access and changes to security settings.
- Temporarily suspend the user account again to prevent further unauthorized access while the investigation is ongoing.
- Notify the security team and relevant stakeholders about the potential security incident to ensure coordinated response efforts.
- Conduct a thorough review of the account's permissions and access levels to ensure they align with the user's current role and responsibilities. Adjust as necessary to follow the principle of least privilege.
- If malicious activity is confirmed, initiate a password reset for the affected account and any other accounts that may have been compromised.
- Implement additional monitoring on the affected account and similar accounts to detect any further suspicious activity.
- Review and update security policies and procedures related to account suspension and reactivation to prevent similar incidents in the future.
Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default,
var.interval
is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information:
References
Related rules
- External User Added to Google Workspace Group
- AWS IAM Password Recovery Requested
- Azure External Guest User Invitation
- First Time Seen Google Workspace OAuth Login from Third-Party Application
- GCP IAM Custom Role Creation