LoFP LoFP / google_workspace

google_workspace rule

TitleTags
a user legitimately enrolling a new personal or corporate device (new laptop, replacement phone, byod enrollment). validate by confirming the device registration timing aligns with a known device refresh, it hardware ticket, or onboarding event.
a user may generate a shared access link to encryption key files to share with others. it is unlikely that the intended recipient is an external or anonymous user.
a user simultaneously enrolling multiple workspace-aware apps on a new device (e.g., first-time setup of gmail, drive, calendar, and meet on a new laptop in a short window) may produce three or more distinct device ids in a minute. validate by checking whether the burst is tied to a fresh device or onboarding event.
administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. it is unlikely an external user account would be added to an organization's group where administrators should create a new user account.
administrators may create custom email routes in google workspace based on organizational policies, administrative preference or for security purposes regarding spam.
administrators may create drive data transfer requests during employee offboarding to preserve files for a manager or successor account.
administrators may remove 2-step verification (2sv) temporarily for testing or during maintenance. if 2sv was previously enabled, it is not common to disable this policy for extended periods of time.
administrators may temporarily disabled bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.
applications can be added and removed from blocklists by google workspace administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications can be added to a google workspace domain by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
bulk device enrollment campaigns (e.g., mdm rollout, fleet refresh) where many users register the same new device type in a short window. consider suppressing during planned rollouts.
carrier-grade nat or load-balanced corporate egress that occasionally routes through alternate asns.
custom google workspace admin roles may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
customer takeout exports may be created for legal hold, compliance, migration, or user-requested backups. verify the initiator, target user, and export scope are expected.
developers may leverage third-party applications for legitimate purposes in google workspace such as for administrative tasks.
domain-wide delegation of authority may be granted to service accounts by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
for additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.
google workspace admin role assignments may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin roles may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace admin roles may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
google workspace administrators may change which organizational unit a user belongs to as a result of internal role adjustments.
google workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.
google workspace users typically share drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. it is uncommon for a user in an organization to manually copy a drive object from an external drive to their corporate drive. this may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their drive. it is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.
legitimate first-time use of a new network: isp change, new vpn provider, travel to a region using a different mobile carrier, new home office.
major os upgrades or workspace client refreshes that re-attest several apps concurrently may also produce a burst. cross-reference against the user's known device os transitions.
mfa policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
mfa settings may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
password policies may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
to tune this rule, add exceptions to exclude any google_workspace.alert.type or rule.name which should not trigger this rule.
trusted domains may be added by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
users on vpns, carrier nat, or cloud egress that map to flagged asns may match. legitimate bulk enrollment or scripted onboarding that uses the same oauth client can also produce the sequence. baseline `source.as.organization.name` and successful registration sources before adding exclusions.