Chrome OS Remote Access policy was modified in Google Workspace

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-06-15
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

Detector Tags

Google Workspace

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A user modified Chrome OS Remote Access configuration in Google Workspace.

Attacker's Goals

Adversaries may modify remote access settings to maintain persistent access and bypass security controls.

Investigative actions

  • Verify if the configuration change was authorized.
  • Investigate the source IP address and account involved for malicious activity.
  • Follow further actions performed by the account and Remote Access connections performed.

Variations

Suspicious Chrome OS Remote Access policy was modified in Google Workspace

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

  • This is the first time the user performs this operation in the last 30 days.

Attacker's Goals

Adversaries may modify remote access settings to maintain persistent access and bypass security controls.

Investigative actions

  • Verify if the configuration change was authorized.
  • Investigate the source IP address and account involved for malicious activity.
  • Follow further actions performed by the account and Remote Access connections performed.