---
title: Google Workspace user disabled 2-step verification
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace user disabled 2-step
  verification
---

# Google Workspace user disabled 2-step verification
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detect when a Google Workspace user disables [2-step verification](https://support.google.com/accounts/answer/1064203?hl=en&co=GENIE.Platform%3DDesktop) (2SV).

## Strategy{% #strategy %}

Monitor Google Workspace logs to detect when a user disables 2SV. An attacker who has already gained initial access may disable 2SV to degrade organizational security controls.

## Triage and response{% #triage-and-response %}

1. Check for other signals and logs generated by the impacted user `{{@usr.email}}`, and look for deviations in the following properties:
   - Application
   - Device
   - Geolocation
   - IP address
1. Reach out to the user `{{@usr.email}}` to confirm if they recognize the activity.
1. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.