---
title: Google Workspace user edited account recovery information
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace user edited account
  recovery information
---

# Google Workspace user edited account recovery information
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a Google Workspace user edits account [recovery information](https://support.google.com/a/answer/3033063?hl=en&ref_topic=4388358&sjid=5874450613560815052-EU).

## Strategy{% #strategy %}

Monitor Google Workspace logs to detect when a user edits account recovery information. An attacker who has already gained initial access may update the user's recovery information to maintain access to the account.

**Notes:**

- This rule triggers with a `Low` severity when this activity originates from an anonymizing proxy.
- This rule triggers with a `High` severity when this activity originates from a Tor client.

## Triage and response{% #triage-and-response %}

1. Check for other signals and logs generated by the impacted user `{{@usr.email}}`, and look for deviations in the following properties:
   - Application
   - Device
   - Geolocation
   - IP address
1. Reach out to the user `{{@usr.email}}` to confirm if they recognize the activity.
1. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.

## Changelog{% #changelog %}

- 17 August 2023 - Updated query to replace attribute `@threat_intel.results.subcategory:tor` with `@threat_intel.results.category:tor`.