Google Workspace 2SV Policy Disabled

Last updated 2 months ago on 2024-09-23

Created 2 years ago on 2022-08-26

About

Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Configuration AuditTactic: Persistence

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

False Positive Examples

Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-google_workspace*
Related Integrations: google_workspace(opens in a new tab or window)
Query

event.dataset:"google_workspace.login" and event.action:"2sv_disable"

Install detection rules in Elastic Security

Detect Google Workspace 2SV Policy Disabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).