Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
2 Days |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity added an OAuth app to the Google Workspace trusted OAuth apps list.
Attacker's Goals
Malicious OAuth Apps can be used to request elevated permissions or to impersonate another user.
Investigative actions
- Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Check if the app that was added to the trusted apps list looks suspicious.
- Follow further actions done by the account.
Variations
An unusual app was added to the Google Workspace trusted OAuth apps listAn app was added to the Google Workspace trusted OAuth apps list by a non-administrative identity