User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group when users within that group are expected to access sensitive data and/or resources so administrators add this label to easily manage security groups better. Adversaries with administrator access may modify a security group to allow external access from members outside the organization. This detection does not capture all modifications to security groups, but only those that could increase the risks associated with them.
Similar to internal rule 157f0e02-0209-40de-a69a-0b2c205f0952
Target Ruleset
google_workspace
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" and event.category:"iam" and
(
(google_workspace.admin.setting.name:"ALLOW_EXTERNAL_MEMBERS" and google_workspace.admin.new_value:"true") or
(
google_workspace.admin.setting.name:"WHO_CAN_JOIN" and not
(google_workspace.admin.new_value:"INVITED_CAN_JOIN" or google_workspace.admin.new_value:"CAN_REQUEST_TO_JOIN")
)
)
New fields required in ECS/data sources for this rule?
Description
User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group when users within that group are expected to access sensitive data and/or resources so administrators add this label to easily manage security groups better. Adversaries with administrator access may modify a security group to allow external access from members outside the organization. This detection does not capture all modifications to security groups, but only those that could increase the risks associated with them.
Similar to internal rule 157f0e02-0209-40de-a69a-0b2c205f0952
Target Ruleset
google_workspace
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response