<  Back to rules search

Google Workspace accessed by Google

gsuite

Classification:

attack

Tactic:

Technique:

Set up the gsuite integration.

Goal

Create a signal when Google accesses your Google Workspace tenant using administrative tools.

Strategy

Monitor Google Workspace logs to detect ACCESS events, which are part of Google’s Access Transparency logs.

Triage and response

  1. Determine the scope of Google’s access activity, which can be found in the ACCESS event in the Google Workspace event log.
  2. Review which Google Workspace user (@event.parameters.OWNER_EMAIL) and resources (@event.parameters.RESOURCE_NAME) were accessed by Google.
  3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.