First Time Seen Google Workspace OAuth Login from Third-Party Application

Last updated 5 days ago on 2024-09-23

Created a year ago on 2023-03-30

About

Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.

Tags

Domain: CloudData Source: Google WorkspaceTactic: Defense EvasionTactic: Initial Access

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(opens in a new tab or window)

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples

Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-google_workspace*
Related Integrations: google_workspace(opens in a new tab or window)
Query

event.dataset: "google_workspace.token" and event.action: "authorize" and
google_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com

Install detection rules in Elastic Security

Detect First Time Seen Google Workspace OAuth Login from Third-Party Application in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).