applications can be added to a google workspace domain by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

google_workspace
elastic

Techniques

Sample rules

Application Added to Google Workspace Domain

source: elastic
technicques:

Description

Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.

Detection logic

event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION