---
title: >-
  Google Workspace administrator has disabled 2-step verification for
  organizational unit
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace administrator has
  disabled 2-step verification for organizational unit
---

# Google Workspace administrator has disabled 2-step verification for organizational unit
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detect when a Google Workspace administrator disables [2-step verification](https://support.google.com/a/answer/175197?hl=en&sjid=9379503525844318549-EU&visit_id=638187893511308166-3630995424&ref_topic=2759193&rd=1) (2SV) for an organizational unit.

## Strategy{% #strategy %}

Monitor Google Workspace logs to detect when an administrator disables 2SV for an organizational unit. An attacker who has already gained initial access may disable 2SV to degrade organizational security controls.

## Triage and response{% #triage-and-response %}

1. Check for other signals and logs generated by the impacted user `{{@usr.email}}`, and look for deviations in the following properties:
   - Application
   - Device
   - Geolocation
   - IP address
1. Reach out to the user `{{@usr.email}}` to confirm if they recognize the activity.
1. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.