Google Workspace user has unenrolled from Advanced Protection

gsuite

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Set up the gsuite integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Google Workspace user unenrolls from Google’s Advanced Protection.

Strategy

Monitor Google Workspace logs to detect when a user unenrolls from Google’s Advanced Protection. An attacker who has already gained initial access may unenroll from Advanced Protection to degrade security controls.

Triage and response

  1. Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the following properties:
    • Application
    • Device
    • Geolocation
    • IP address
  2. Reach out to the user {{@usr.email}} to confirm if they recognize the activity.
  3. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization