Google Workspace Application Access Level Modified

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Sigma rule (View on GitHub)

 1title: Google Workspace Application Access Level Modified
 2id: 22f2fb54-5312-435d-852f-7c74f81684ca
 3status: test
 4description: |
 5    Detects when an access level is changed for a Google workspace application.
 6    An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
 7    An adversary would be able to remove access levels to gain easier access to Google workspace resources.    
 8references:
 9    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings
10    - https://support.google.com/a/answer/9261439
11author: Bryan Lim
12date: 2024-01-12
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1098.003
17logsource:
18    product: gcp
19    service: google_workspace.admin
20detection:
21    selection:
22        eventService: 'admin.googleapis.com'
23        eventName: 'CHANGE_APPLICATION_SETTING'
24        setting_name|startswith: 'ContextAwareAccess'
25    condition: selection
26falsepositives:
27    - Legitimate administrative activities changing the access levels for an application
28level: medium

References

Related rules

to-top