google workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.

t1098
google_workspace
elastic

Techniques

T1098

Sample rules

Google Workspace User Organizational Unit Changed

source: elastic
technicques:
- T1098

Description

Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.

Detection logic

event.dataset:"google_workspace.admin" and event.type:change and event.category:iam
    and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT"