Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
2 Days |
Required Data |
- Requires:
- Google Workspace Audit Logs
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity has modified data sharing settings between GCP and Google Workspace.
Attacker's Goals
Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
Investigative actions
- Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- check whether Google Workspace audit log events were configured to be sent to Google Cloud.
- Follow further actions done by the account.
Variations
Data Sharing between GCP and Google Workspace was disabled by a suspicious identity
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity has modified data sharing settings between GCP and Google Workspace.
Attacker's Goals
Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
Investigative actions
- Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- check whether Google Workspace audit log events were configured to be sent to Google Cloud.
- Follow further actions done by the account.
Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity has modified data sharing settings between GCP and Google Workspace.
Attacker's Goals
Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
Investigative actions
- Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- check whether Google Workspace audit log events were configured to be sent to Google Cloud.
- Follow further actions done by the account.
Data Sharing between GCP and Google Workspace was disabled from an unusual ASN
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity has modified data sharing settings between GCP and Google Workspace.
Attacker's Goals
Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.
Investigative actions
- Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- check whether Google Workspace audit log events were configured to be sent to Google Cloud.
- Follow further actions done by the account.