Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
- Requires:
- Google Workspace Audit Logs
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
Command and Control (TA0011) |
ATT&CK Technique |
Remote Access Software (T1219) |
Severity |
Informational |
Description
An app was added to the Google Workspace Marketplace.
Attacker's Goals
An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
Investigative actions
- Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Investigate the new app that was added to Google workspace Marketplace.
- Follow further actions done by the account.
Variations
An app was added to Google Marketplace by a non-administrative identity
Synopsis
Description
An app was added to the Google Workspace Marketplace.
Attacker's Goals
An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
Investigative actions
- Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Investigate the new app that was added to Google workspace Marketplace.
- Follow further actions done by the account.
An app was added to Google Marketplace from an unusual ASN
Synopsis
Description
An app was added to the Google Workspace Marketplace.
Attacker's Goals
An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
Investigative actions
- Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Investigate the new app that was added to Google workspace Marketplace.
- Follow further actions done by the account.
An unusual app was added to Google Marketplace
Synopsis
Description
An app was added to the Google Workspace Marketplace.
Attacker's Goals
An adversary may add a malicious application to an organization's Google Workspace domain to maintain a presence in their target's organization and steal data.
Investigative actions
- Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Investigate the new app that was added to Google workspace Marketplace.
- Follow further actions done by the account.