Google Workspace user edited account recovery information
Set up the gsuite integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a Google Workspace user edits account recovery information.
Strategy
Monitor Google Workspace logs to detect when a user edits account recovery information. An attacker who has already gained initial access may update the user’s recovery information to maintain access to the account.
Notes:
- This rule triggers with a
Low
severity when this activity originates from an anonymizing proxy. - This rule triggers with a
High
severity when this activity originates from a Tor client.
Triage and response
- Check for other signals and logs generated by the impacted user
{{@usr.email}}
, and look for deviations in the following properties:- Application
- Device
- Geolocation
- IP address
- Reach out to the user
{{@usr.email}}
to confirm if they recognize the activity. - If the activity is not legitimate, block the user from signing in and begin your Incident Response process.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor
with @threat_intel.results.category:tor
.