domain-wide delegation of authority may be granted to service accounts by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1098
google_workspace
elastic

Techniques

T1098

Sample rules

Google Workspace API Access Granted via Domain-Wide Delegation

source: elastic
technicques:
- T1098

Description

Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.

Detection logic

event.dataset:google_workspace.admin
  and event.provider:admin
  and event.category:iam
  and event.action:AUTHORIZE_API_CLIENT_ACCESS
  and event.outcome:success