Google Workspace organizational unit was modified

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation (T1098)

Severity

Informational

Description

A Google Workspace admin modified an organizational unit.

Attacker's Goals

Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.

Investigative actions

  • Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.