Application Added to Google Workspace Domain
Detects when an administrator adds a Google Workspace Marketplace application to the domain. Adversaries with administrative access may register a malicious OAuth application to establish long-lived API access to mail, drive, and other Workspace data, maintaining persistence and enabling collection without relying on a single user password alone.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["google_workspace"]
4maturity = "production"
5updated_date = "2026/06/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when an administrator adds a Google Workspace Marketplace application to the domain. Adversaries with
11administrative access may register a malicious OAuth application to establish long-lived API access to mail, drive, and
12other Workspace data, maintaining persistence and enabling collection without relying on a single user password alone.
13"""
14false_positives = [
15 """
16 Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration
17 change was expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-130m"
21index = ["filebeat-*", "logs-google_workspace.admin-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "Application Added to Google Workspace Domain"
26note = """## Triage and analysis
27
28### Investigating Application Added to Google Workspace Domain
29
30Google Workspace Marketplace applications can request OAuth scopes to read or modify tenant data. When an administrator
31adds an application at the domain level, users may be able to install or authorize it broadly, creating a durable
32third-party access path. Threat actors with admin rights may add an adversary-controlled app to maintain API-based
33persistence and access sensitive resources at scale.
34
35This rule identifies when an administrator adds a Marketplace application via the `ADD_APPLICATION` event in the
36`google_workspace.admin` data stream.
37
38### Possible investigation steps
39
40- Identify the initiating (actor) administrator by reviewing `user.email` or `user.name`, and note `@timestamp`.
41- Identify the application added by reviewing `google_workspace.admin.application.name` and related application metadata in the raw event.
42- Determine whether the change is expected and authorized:
43 - Validate there is an approved change request or vendor onboarding record for the application.
44 - If the actor account is unusual, treat the alert as higher priority until proven benign.
45- Review Marketplace apps in the Google Admin console:
46 - Navigate to Apps > Google Workspace Marketplace apps.
47 - Confirm whether the application is allowed domain-wide or for specific organizational units, and review requested API scopes against least-privilege expectations.
48- Search Kibana for related admin and OAuth activity:
49 - Find other Marketplace changes by the same actor:
50 ```
51 data_stream.dataset: "google_workspace.admin" and user.email: "<ACTOR_EMAIL>" and event.action: ("ADD_APPLICATION" or "REMOVE_APPLICATION")
52 ```
53 - After the add, review OAuth authorizations that may indicate users or admins granting access to the app:
54 ```
55 data_stream.dataset: "google_workspace.token" and event.action: "authorize"
56 ```
57 - Scope for other security-weakening admin actions from the same `user.email` within the last 48 hours, such as Marketplace restriction changes, blocklist removals, or role assignments.
58
59### False positive analysis
60
61- Verify the application is an approved business tool with documented vendor risk review and scope justification.
62- New application rollouts during migrations or acquisitions can trigger this rule, validate timing against change windows.
63
64### Response and remediation
65
66- Initiate the incident response process based on triage findings.
67- If the add is not clearly authorized, remove or block the application under Google Workspace Marketplace apps while the investigation proceeds.
68- Revoke OAuth tokens for the application client if users have already authorized it (`Security` > Access and data control > API controls, or user token review in admin reports).
69- If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.
70- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
71 - Identify the account role in the cloud environment.
72 - Assess the criticality of affected services and servers.
73 - Work with your IT team to identify and minimize the impact on users.
74 - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
75 - Identify any regulatory or legal ramifications related to this activity.
76- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
77- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.
78- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
79- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
80- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
81
82## Setup
83
84The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
85
86### Important Information Regarding Google Workspace Event Lag Times
87- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
88- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
89- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
90- See the following references for further information:
91 - https://support.google.com/a/answer/7061566
92 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
93references = [
94 "https://support.google.com/a/answer/6328701?hl=en#",
95 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
96 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
97]
98risk_score = 47
99rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd"
100severity = "medium"
101tags = [
102 "Domain: Cloud",
103 "Data Source: Google Workspace",
104 "Use Case: Configuration Audit",
105 "Tactic: Persistence",
106 "Resources: Investigation Guide",
107]
108timestamp_override = "event.ingested"
109type = "query"
110
111query = '''
112data_stream.dataset:google_workspace.admin and event.action:ADD_APPLICATION
113'''
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1098"
120name = "Account Manipulation"
121reference = "https://attack.mitre.org/techniques/T1098/"
122[[rule.threat.technique.subtechnique]]
123id = "T1098.001"
124name = "Additional Cloud Credentials"
125reference = "https://attack.mitre.org/techniques/T1098/001/"
126
127
128
129[rule.threat.tactic]
130id = "TA0003"
131name = "Persistence"
132reference = "https://attack.mitre.org/tactics/TA0003/"
133
134[rule.investigation_fields]
135field_names = [
136 "user.name",
137 "user.email",
138 "user.domain",
139 "event.action",
140 "google_workspace.admin.application.name",
141 "google_workspace.admin.application.enabled",
142]
Triage and analysis
Investigating Application Added to Google Workspace Domain
Google Workspace Marketplace applications can request OAuth scopes to read or modify tenant data. When an administrator adds an application at the domain level, users may be able to install or authorize it broadly, creating a durable third-party access path. Threat actors with admin rights may add an adversary-controlled app to maintain API-based persistence and access sensitive resources at scale.
This rule identifies when an administrator adds a Marketplace application via the ADD_APPLICATION event in the
google_workspace.admin data stream.
Possible investigation steps
- Identify the initiating (actor) administrator by reviewing
user.emailoruser.name, and note@timestamp. - Identify the application added by reviewing
google_workspace.admin.application.nameand related application metadata in the raw event. - Determine whether the change is expected and authorized:
- Validate there is an approved change request or vendor onboarding record for the application.
- If the actor account is unusual, treat the alert as higher priority until proven benign.
- Review Marketplace apps in the Google Admin console:
- Navigate to Apps > Google Workspace Marketplace apps.
- Confirm whether the application is allowed domain-wide or for specific organizational units, and review requested API scopes against least-privilege expectations.
- Search Kibana for related admin and OAuth activity:
- Find other Marketplace changes by the same actor:
1data_stream.dataset: "google_workspace.admin" and user.email: "<ACTOR_EMAIL>" and event.action: ("ADD_APPLICATION" or "REMOVE_APPLICATION") - After the add, review OAuth authorizations that may indicate users or admins granting access to the app:
1data_stream.dataset: "google_workspace.token" and event.action: "authorize" - Scope for other security-weakening admin actions from the same
user.emailwithin the last 48 hours, such as Marketplace restriction changes, blocklist removals, or role assignments.
- Find other Marketplace changes by the same actor:
False positive analysis
- Verify the application is an approved business tool with documented vendor risk review and scope justification.
- New application rollouts during migrations or acquisitions can trigger this rule, validate timing against change windows.
Response and remediation
- Initiate the incident response process based on triage findings.
- If the add is not clearly authorized, remove or block the application under Google Workspace Marketplace apps while the investigation proceeds.
- Revoke OAuth tokens for the application client if users have already authorized it (
Security> Access and data control > API controls, or user token review in admin reports). - If the initiating admin account is suspected compromised, reset credentials, revoke active sessions, and review delegated admin roles assigned to that account.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
- Identify the account role in the cloud environment.
- Assess the criticality of affected services and servers.
- Work with your IT team to identify and minimize the impact on users.
- Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
- Identify any regulatory or legal ramifications related to this activity.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
- Review the permissions assigned to the implicated administrator to ensure that the least privilege principle is being followed.
- Implement security best practices outlined by Google.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. By default,
var.intervalis set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information:
References
Related rules
- Google Workspace 2SV Policy Disabled By User
- Google Workspace MFA Enforcement Disabled For Organization
- Google Workspace User Organizational Unit Changed
- Google Workspace Object Copied from External Drive with App Consent
- Domain Added to Google Workspace Trusted Domains