LoFP / user group access may be modified by an administrator to allow external access for community purposes. doing so for a user group whom has access to sensitive information or operational resources should be monitored closely.

Techniques

• T1098

Sample rules

Google Workspace User Group Access Modified to Allow External Access

• source: elastic
• technicques:
  • T1098

Description

User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group when users within that group are expected to access sensitive data and/or resources so administrators add this label to easily manage security groups better. Adversaries with administrator access may modify a security group to allow external access from members outside the organization. This detection does not capture all modifications to security groups, but only those that could increase the risk associated with them.

Detection logic

event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" and event.category:"iam"
    and ((google_workspace.admin.setting.name:"ALLOW_EXTERNAL_MEMBERS" and google_workspace.admin.new_value:"true")
        or (google_workspace.admin.setting.name:"WHO_CAN_JOIN" and not (google_workspace.admin.new_value:"INVITED_CAN_JOIN"
            or google_workspace.admin.new_value:"CAN_REQUEST_TO_JOIN")))