trusted domains may be added by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1562
google_workspace
elastic

Techniques

T1562

Sample rules

Domain Added to Google Workspace Trusted Domains

source: elastic
technicques:
- T1562

Description

Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.

Detection logic

event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS