legitimate administrative activities changing the access levels for an application

t1098
t1098.003
gcp
sigma

Techniques

t1098
t1098.003

Sample rules

Google Workspace Application Access Level Modified

source: sigma
technicques:
- t1098
- t1098.003

Description

Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace’s way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.

Detection logic

condition: selection
selection:
  eventName: CHANGE_APPLICATION_SETTING
  eventService: admin.googleapis.com
  setting_name|startswith: ContextAwareAccess