An app was added to the Google Workspace trusted OAuth apps list

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Informational

Description

An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

Attacker's Goals

Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the app that was added to the trusted apps list looks suspicious.
  • Follow further actions done by the account.

Variations

An unusual app was added to the Google Workspace trusted OAuth apps list

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Low

Description

An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

Attacker's Goals

Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the app that was added to the trusted apps list looks suspicious.
  • Follow further actions done by the account.


An app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Authentication Process (T1556)

Severity

Low

Description

An identity added an OAuth app to the Google Workspace trusted OAuth apps list.

Attacker's Goals

Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the app that was added to the trusted apps list looks suspicious.
  • Follow further actions done by the account.