Techniques
Sample rules
First Time Seen Google Workspace OAuth Login from Third-Party Application
- source: elastic
- technicques:
- T1078
- T1550
Description
Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.
Detection logic
event.dataset: "google_workspace.token" and event.action: "authorize" and
google_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com