google workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.

t1078
google_workspace
elastic

Techniques

T1078

Sample rules

Google Workspace Suspended User Account Renewed

source: elastic
technicques:
- T1078

Description

Detects when a previously suspended user’s account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.

Detection logic

event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER