Google Workspace accessed by Google

gsuite

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

Set up the gsuite integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Create a signal when Google accesses your Google Workspace tenant using administrative tools.

Strategy

Monitor Google Workspace logs to detect ACCESS events, which are part of Google’s Access Transparency logs.

Triage and response

  1. Determine the scope of Google’s access activity, which can be found in the ACCESS event in the Google Workspace event log.
  2. Review which Google Workspace user (@event.parameters.OWNER_EMAIL) and resources (@event.parameters.RESOURCE_NAME) were accessed by Google.
  3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.