administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. it is unlikely an external user account would be added to an organization's group where administrators should create a new user account.

t1078
google_workspace
elastic

Techniques

T1078

Sample rules

External User Added to Google Workspace Group

source: elastic
technicques:
- T1078

Description

Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.

Detection logic

iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and
  not endsWith(user.target.email, user.target.group.domain)