
Summary
This detection rule identifies when a GSuite Workspace Administrator has enabled password reuse in the security settings. The rule is significant as allowing password reuse could increase vulnerability to credential stuffing attacks, particularly if users are reusing passwords across multiple services. The detection relies on logs generated from GSuite activity events that record actions taken by administrators. The log captures details such as the admin actor's email, the time of the event, and the specifics of the change made, including the old and new values of the password management setting. It is crucial for the security team to verify the intent behind the change to prevent unauthorized configuration adjustments that could compromise the organization's security posture. The rule also includes tests to validate whether the password reuse setting change was indeed enabled or if other unrelated configuration changes were made by the admin.
Categories
- Cloud
- Identity Management
- Application
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1110
Created: 2022-12-14