External User Added to Google Workspace Group

Last updated 2 months ago on 2024-09-23

Created 2 years ago on 2023-02-16

About

Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Identity and Access AuditTactic: Initial Access

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples

Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-google_workspace*
Related Integrations: google_workspace(opens in a new tab or window)
Query

iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and
  not endsWith(user.target.email, user.target.group.domain)

Install detection rules in Elastic Security

Detect External User Added to Google Workspace Group in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).