Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A Google Workspace admin modified an organizational unit.
Attacker's Goals
Adversaries may change the organizational unit the user belongs to, so they could inherit permissions for applications and resources that were inaccessible before.
Investigative actions
- Check if the identity intended to perform this action, Or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
- Follow further actions done by the account.