Google Workspace User Organizational Unit Changed

Elastic Stack Serverless Security

Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.

Rule type: query

Rule indices:

filebeat-*
logs-google_workspace*

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-130m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://support.google.com/a/answer/6328701?hl=en#

Tags:

Elastic
Cloud
Google Workspace
Continuous Monitoring
SecOps
Configuration Audit
Persistence

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

Important Information Regarding Google Workspace Event Lag Times

As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
By default, var.interval is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
See the following references for further information:
- https://support.google.com/a/answer/7061566
- /beats/docs/reference/ingestion-tools/beats-filebeat/filebeat-module-google_workspace.md

Rule query

		event.dataset:"google_workspace.admin" and event.type:change and event.category:iam
    and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT"

Framework: MITRE ATT&CKTM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Sub-technique:
- Name: Additional Cloud Roles
- ID: T1098.003
- Reference URL: https://attack.mitre.org/techniques/T1098/003/