A Google Workspace Role privilege was deleted

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Account Access Removal (T1531)

Severity

Informational

Description

A privilege was removed from a Google Workspace Role, This could potentially affect the access to services and data in the organization.

Attacker's Goals

Gain access to sensitive data stored in the workspace. Gain elevated privileges in the workspace.

Investigative actions

  • Investigate who was assigned the deleted role privilege.
  • Verify if the role privilege was deleted intentionally.