Google Workspace User Organizational Unit Changed
editGoogle Workspace User Organizational Unit Changed
editUsers in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.
Rule type: query
Rule indices:
- filebeat-*
- logs-google_workspace*
Severity: low
Risk score: 21
Runs every: 10 minutes
Searches indices from: now-130m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Google Workspace
- Continuous Monitoring
- SecOps
- Configuration Audit
- Persistence
Version: 2 (version history)
Added (Elastic Stack release): 8.5.0
Last modified (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editGoogle Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.
Investigation guide
edit### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
Rule query
editevent.dataset:"google_workspace.admin" and event.type:change and event.category:iam and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Rule version history
edit- Version 2 (8.6.0 release)
-
- Formatting only