
First Time Seen Google Workspace OAuth Login from Third-Party Application
Elastic Detection Rules
View SourceSummary
This detection rule aims to identify the first instance of a third-party application logging into Google Workspace via OAuth authentication, a critical attack vector that adversaries may exploit using compromised credentials. OAuth facilitates secure resource access across services without exposing user credentials, but it also poses risks if abused. The rule monitors specific authorization events related to newly integrated third-party applications to flag potential unauthorized access attempts. It specifies the use of 'google_workspace.token' events focusing on 'authorize' actions with client IDs resembling third-party applications. False positives may arise from legitimate developer usage or updates of trusted applications; therefore, maintaining a whitelist of known applications is recommended. Upon triggering the detection, immediate remediation steps include revoking access tokens, conducting thorough reviews of user activity, and tightening OAuth permission controls. The rule operates with a 10-minute execution interval and looks back over 130 minutes, providing timely visibility into potential breaches before they can escalate, while being mindful of potential event lag in Google Workspace logs.
Categories
- Cloud
- Application
- Identity Management
Data Sources
- Cloud Service
- User Account
- Application Log
ATT&CK Techniques
- T1550
- T1550.001
- T1078
- T1078.004
Created: 2023-03-30