---
title: Google Workspace user has unenrolled from Advanced Protection
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace user has unenrolled
  from Advanced Protection
---

# Google Workspace user has unenrolled from Advanced Protection
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when a Google Workspace user unenrolls from Google's [Advanced Protection](https://landing.google.com/advancedprotection/).

## Strategy{% #strategy %}

Monitor Google Workspace logs to detect when a user unenrolls from Google's Advanced Protection. An attacker who has already gained initial access may unenroll from Advanced Protection to degrade security controls.

## Triage and response{% #triage-and-response %}

1. Check for other signals and logs generated by the impacted user `{{@usr.email}}`, and look for deviations in the following properties:
   - Application
   - Device
   - Geolocation
   - IP address
1. Reach out to the user `{{@usr.email}}` to confirm if they recognize the activity.
1. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.