Data Sharing between GCP and Google Workspace was disabled

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity has modified data sharing settings between GCP and Google Workspace.

Attacker's Goals

Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check whether Google Workspace audit log events were configured to be sent to Google Cloud.
  • Follow further actions done by the account.

Variations

Data Sharing between GCP and Google Workspace was disabled by a suspicious identity

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity has modified data sharing settings between GCP and Google Workspace.

Attacker's Goals

Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check whether Google Workspace audit log events were configured to be sent to Google Cloud.
  • Follow further actions done by the account.


Data Sharing between GCP and Google Workspace was disabled by a non Google Workspace administrative user

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity has modified data sharing settings between GCP and Google Workspace.

Attacker's Goals

Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check whether Google Workspace audit log events were configured to be sent to Google Cloud.
  • Follow further actions done by the account.


Data Sharing between GCP and Google Workspace was disabled from an unusual ASN

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity has modified data sharing settings between GCP and Google Workspace.

Attacker's Goals

Adversaries may stop audit log events from being sent to remove evidence of their presence or hinder defenses.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check whether Google Workspace audit log events were configured to be sent to Google Cloud.
  • Follow further actions done by the account.