Detectionmediumtest
Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Google Cloudgoogle_workspace.admin
ProductGoogle Cloud← raw: gcp
Servicegoogle_workspace.admin← raw: google_workspace.admin
Detection Logic
Detection Logic1 selector
detection:
selection:
eventService: 'admin.googleapis.com'
eventName: 'CHANGE_APPLICATION_SETTING'
setting_name|startswith: 'ContextAwareAccess'
condition: selectionFalse Positives
Legitimate administrative activities changing the access levels for an application
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
22f2fb54-5312-435d-852f-7c74f81684ca
Status
test
Level
medium
Type
Detection
Created
Fri Jan 12
Author
Path
rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1098.003