A third-party application was authorized to access the Google Workspace APIs

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

A domain administrator authorized a third-party application to access the Google Workspace APIs. This allows the application to interact with the domain user's data within the authorized scope, as specified in the API call.

Attacker's Goals

Gain access to Google Workspace data and services. Collect confidential information from Google Workspace. Compromise user accounts and data.

Investigative actions

  • Check which account was granted access to the Domain API.
  • Identify the source IP address of the request.
  • Verify the legitimacy of the request.