GWorkspace - User access has been changed

Back


Id	92fae638-5da8-11ec-bf63-0242ac130002
Rulename	GWorkspace - User access has been changed
Description	Detects user access change.
Severity	Low
Tactics	Persistence
Techniques	T1098
Required data connectors	GoogleWorkspaceReportsAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspaceChangedUserAccess.yaml
Version	1.0.1
Arm template	92fae638-5da8-11ec-bf63-0242ac130002.json

KQL

GWorkspaceActivityReports
| where EventMessage has "change_user_access"
| extend AccountCustomEntity = ActorEmail

YAML

id: 92fae638-5da8-11ec-bf63-0242ac130002
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspaceChangedUserAccess.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - GWorkspaceActivityReports
  connectorId: GoogleWorkspaceReportsAPI
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
  GWorkspaceActivityReports
  | where EventMessage has "change_user_access"
  | extend AccountCustomEntity = ActorEmail  
name: GWorkspace - User access has been changed
kind: Scheduled
tactics:
- Persistence
severity: Low
relevantTechniques:
- T1098
triggerThreshold: 0
version: 1.0.1
description: |
    'Detects user access change.'

ARM