Google Workspace user edited account recovery information

Set up the gsuite integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Workspace user edits account recovery information.

Strategy

Monitor Google Workspace logs to detect when a user edits account recovery information. An attacker who has already gained initial access may update the user’s recovery information to maintain access to the account.

Notes:

  • This rule triggers with a Low severity when this activity originates from an anonymizing proxy.
  • This rule triggers with a High severity when this activity originates from a Tor client.

Triage and response

  1. Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the following properties:
    • Application
    • Device
    • Geolocation
    • IP address
  2. Reach out to the user {{@usr.email}} to confirm if they recognize the activity.
  3. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
PREVIEWING: rtrieu/product-analytics-ui-changes