Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
Sigma rule (View on GitHub)
1title: Google Workspace Application Removed
2id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
3status: test
4description: Detects when an an application is removed from Google Workspace.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
8 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
9author: Austin Songer
10date: 2021/08/26
11modified: 2023/10/11
12tags:
13 - attack.impact
14logsource:
15 product: gcp
16 service: google_workspace.admin
17detection:
18 selection:
19 eventService: admin.googleapis.com
20 eventName:
21 - REMOVE_APPLICATION
22 - REMOVE_APPLICATION_FROM_WHITELIST
23 condition: selection
24falsepositives:
25 - Application being removed may be performed by a System Administrator.
26level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
This document lists the events and parameters for Domain Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin. Domain Settings...
Read More -
This document lists the events and parameters for Domain Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin. Domain Settings...
Read More
Related rules
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted
- AWS ElastiCache Security Group Modified or Deleted