Google Marketplace restrictions were modified

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Domain or Tenant Policy Modification (T1484)

Severity

Informational

Description

An identity modified Google Marketplace Restrictions.

Attacker's Goals

Malicious Apps can be used to access the organization's Google data.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the new settings look suspicious.
  • Follow further actions done by the account.

Variations

Google Marketplace restrictions were modified by a suspicious identity

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Domain or Tenant Policy Modification (T1484)

Severity

Low

Description

An identity modified Google Marketplace Restrictions.

Attacker's Goals

Malicious Apps can be used to access the organization's Google data.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the new settings look suspicious.
  • Follow further actions done by the account.


Google Marketplace restrictions were modified from an unusual ASN

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Domain or Tenant Policy Modification (T1484)

Severity

Low

Description

An identity modified Google Marketplace Restrictions.

Attacker's Goals

Malicious Apps can be used to access the organization's Google data.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the new settings look suspicious.
  • Follow further actions done by the account.


Google Marketplace restrictions were modified by a non Google Workspace administrative user

Synopsis

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Domain or Tenant Policy Modification (T1484)

Severity

Informational

Description

An identity modified Google Marketplace Restrictions.

Attacker's Goals

Malicious Apps can be used to access the organization's Google data.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Check if the new settings look suspicious.
  • Follow further actions done by the account.