IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Google Workspace Role Modified Google Workspace User Organizational Unit Changed »

› › ›

Google Workspace Suspended User Account Renewed

edit

Google Workspace Suspended User Account Renewed

edit

Detects when a previously suspended user’s account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.

Rule type: query

Rule indices:

filebeat-*
logs-google_workspace*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: Google Workspace
Use Case: Identity and Access Audit
Tactic: Initial Access

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Important Information Regarding Google Workspace Event Lag Times

As per Google’s documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event’s occurrence and the event being visible in the Google Workspace admin/audit logs.
This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google’s reporting API for new events.
By default, var.interval is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
See the following references for further information:
https://support.google.com/a/answer/7061566
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html

Setup

edit

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/

« Google Workspace Role Modified Google Workspace User Organizational Unit Changed »