Techniques
Sample rules
Google Workspace API Access Granted via Domain-Wide Delegation of Authority
- source: elastic
- technicques:
- T1098
Description
Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.
Detection logic
event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS