Google Workspace Suspended User Account Renewed
editGoogle Workspace Suspended User Account Renewed
editDetects when a previously suspended user’s account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.
Rule type: query
Rule indices:
- filebeat-*
- logs-google_workspace*
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-130m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Google Workspace
- Use Case: Identity and Access Audit
- Tactic: Initial Access
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editImportant Information Regarding Google Workspace Event Lag Times
- As per Google’s documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event’s occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google’s reporting API for new events.
-
By default,
var.intervalis set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html
Setup
editThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/