Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Google Workspace MFA Disabled

Detects when multi-factor authentication (MFA) is disabled.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Austin SongerCreated Thu Aug 26Updated Wed Oct 11780601d1-6376-4f2a-884e-b8d45599f78ccloud
Log Source
Google Cloudgoogle_workspace.admin
ProductGoogle Cloud← raw: gcp
Servicegoogle_workspace.admin← raw: google_workspace.admin
Detection Logic
Detection Logic2 selectors
detection:
    selection_base:
        eventService: admin.googleapis.com
        eventName:
            - ENFORCE_STRONG_AUTHENTICATION
            - ALLOW_STRONG_AUTHENTICATION
    selection_eventValue:
        new_value: 'false'
    condition: all of selection*
False Positives

MFA may be disabled and performed by a system administrator.

References
1
Resolving title…
cloud.google.com
2
Resolving title…
developers.google.com
3
Resolving title…
developers.google.com
MITRE ATT&CK
Rule Metadata
Rule ID
780601d1-6376-4f2a-884e-b8d45599f78c
Status
test
Level
medium
Type
Detection
Created
Thu Aug 26
Modified
Wed Oct 11
Author
Austin Songer
Path
rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml
Raw Tags
attack.impact
View on GitHub