administrators may remove 2-step verification (2sv) temporarily for testing or during maintenance. if 2sv was previously enabled, it is not common to disable this policy for extended periods of time.

t1556
google_workspace
elastic

Techniques

T1556

Sample rules

Google Workspace 2SV Policy Disabled

source: elastic
technicques:
- T1556

Description

Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.

Detection logic

event.dataset:"google_workspace.login" and event.action:"2sv_disable"