Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
Sigma rule (View on GitHub)
1title: Google Workspace MFA Disabled
2id: 780601d1-6376-4f2a-884e-b8d45599f78c
3status: test
4description: Detects when multi-factor authentication (MFA) is disabled.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
8 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
9author: Austin Songer
10date: 2021-08-26
11modified: 2023-10-11
12tags:
13 - attack.impact
14logsource:
15 product: gcp
16 service: google_workspace.admin
17detection:
18 selection_base:
19 eventService: admin.googleapis.com
20 eventName:
21 - ENFORCE_STRONG_AUTHENTICATION
22 - ALLOW_STRONG_AUTHENTICATION
23 selection_eventValue:
24 new_value: 'false'
25 condition: all of selection*
26falsepositives:
27 - MFA may be disabled and performed by a system administrator.
28level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
Admin Audit Activity Events - Security Settings Stay organized with collections Save and categorize content based on your preferences. This document lists the events and parameters for Security Set...
Read More -
Admin Audit Activity Events - Security Settings Stay organized with collections Save and categorize content based on your preferences. This document lists the events and parameters for Security Set...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted