Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
Sigma rule (View on GitHub)
1title: Google Workspace Granted Domain API Access
2id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
3status: test
4description: Detects when an API access service account is granted domain authority.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
8author: Austin Songer
9date: 2021/08/23
10modified: 2023/10/11
11tags:
12 - attack.persistence
13 - attack.t1098
14logsource:
15 product: gcp
16 service: google_workspace.admin
17detection:
18 selection:
19 eventService: admin.googleapis.com
20 eventName: AUTHORIZE_API_CLIENT_ACCESS
21 condition: selection
22falsepositives:
23 - Unknown
24
25level: medium
References
Related rules
- AWS IAM Backdoor Users Keys
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Change to Authentication Method
- Google Workspace User Granted Admin Privileges