Domain Added to Google Workspace Trusted Domains

Last updated 24 days ago on 2026-06-02

Created 6 years ago on 2020-11-17

About

Detects when an administrator adds a domain to the Google Workspace allowlisted (trusted) domains list. Adversaries with administrative access may onboard a domain they control to relax cross-organization sharing restrictions, enabling data collection and exfiltration through Drive, Chat, and other services that honor the tenant trust boundary.

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Configuration AuditTactic: Defense EvasionLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Domain or Tenant Policy Modification (T1484)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-google_workspace.admin-*
Related Integrations: google_workspace(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:google_workspace.admin and event.action:ADD_TRUSTED_DOMAINS

Install detection rules in Elastic Security

Detect Domain Added to Google Workspace Trusted Domains in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).