Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Sigma rule (View on GitHub)
1title: Google Workspace Application Access Level Modified
2id: 22f2fb54-5312-435d-852f-7c74f81684ca
3status: test
4description: |
5 Detects when an access level is changed for a Google workspace application.
6 An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
7 An adversary would be able to remove access levels to gain easier access to Google workspace resources.
8references:
9 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
10 - https://support.google.com/a/answer/9261439
11author: Bryan Lim
12date: 2024-01-12
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1098.003
17logsource:
18 product: gcp
19 service: google_workspace.admin
20detection:
21 selection:
22 eventService: 'admin.googleapis.com'
23 eventName: 'CHANGE_APPLICATION_SETTING'
24 setting_name|startswith: 'ContextAwareAccess'
25 condition: selection
26falsepositives:
27 - Legitimate administrative activities changing the access levels for an application
28level: medium
References
Related rules
- App Assigned To Azure RBAC/Microsoft Entra Role
- App Granted Privileged Delegated Or App Permissions
- User Added to an Administrator's Azure AD Role
- GCP Access Policy Deleted
- Suspicious Processes Spawned by Java.EXE