MFA Disabled for Google Workspace

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

An administrator has disabled Multi-Factor Authentication for Google Workspace users.

Attacker's Goals

Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.

Investigative actions

  • Check the MFA settings for the Google Workspace users.
  • Identify the users who have MFA disabled and investigate the reason for it.
  • Check the security log to see if there have been any suspicious activities in the account.

Variations

MFA Disabled for Google Workspace from an unusual caller IP ASN

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

An administrator has disabled Multi-Factor Authentication for Google Workspace users.

Attacker's Goals

Gain access to Google Workspace accounts with disabled MFA. Exploit Google Workspace accounts with weaker security. Steal sensitive data from Google Workspace accounts.

Investigative actions

  • Check the MFA settings for the Google Workspace users.
  • Identify the users who have MFA disabled and investigate the reason for it.
  • Check the security log to see if there have been any suspicious activities in the account.