Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
Sigma rule (View on GitHub)
1title: Google Workspace Granted Domain API Access
2id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
3status: test
4description: Detects when an API access service account is granted domain authority.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
8author: Austin Songer
9date: 2021-08-23
10modified: 2023-10-11
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1098
15logsource:
16 product: gcp
17 service: google_workspace.admin
18detection:
19 selection:
20 eventService: admin.googleapis.com
21 eventName: AUTHORIZE_API_CLIENT_ACCESS
22 condition: selection
23falsepositives:
24 - Unknown
25
26level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
Admin Audit Activity Events - Domain Settings Stay organized with collections Save and categorize content based on your preferences. This document lists the events and parameters for Domain Setting...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys