GWorkspace - User access has been changed

Back


Id	92fae638-5da8-11ec-bf63-0242ac130002
Rulename	GWorkspace - User access has been changed
Description	Detects user access change.
Severity	Low
Tactics	Persistence
Techniques	T1098
Required data connectors	GoogleWorkspaceReportsAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspaceChangedUserAccess.yaml
Version	1.0.1
Arm template	92fae638-5da8-11ec-bf63-0242ac130002.json

KQL

GWorkspaceActivityReports
| where EventMessage has "change_user_access"
| extend AccountCustomEntity = ActorEmail

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  GWorkspaceActivityReports
  | where EventMessage has "change_user_access"
  | extend AccountCustomEntity = ActorEmail  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspaceChangedUserAccess.yaml
tactics:
- Persistence
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
  dataTypes:
  - GWorkspaceActivityReports
kind: Scheduled
relevantTechniques:
- T1098
description: |
    'Detects user access change.'
name: GWorkspace - User access has been changed
version: 1.0.1
id: 92fae638-5da8-11ec-bf63-0242ac130002
severity: Low

ARM