heroui logo

Google Workspace Password Policy Modified

Elastic Detection Rules

View Source
Summary
This detection rule aims to identify significant modifications to password policies within Google Workspace, which may indicate attempts by unauthorized users, such as threat actors, to weaken an organization's security posture. It specifically tracks changes to settings such as password complexity requirements, reset frequency, and reuse policies, which can be exploited in credential access attacks like password spraying. The rule utilizes KQL to filter events traced back to the Google Workspace admin dataset, flagging any change actions applied to critical password management settings. In the event of an alert, security teams should investigate the account making the changes, verify the intended privileges of that account, assess the implications of the changes and initiate mitigation strategies if malicious activity is suspected.
Categories
  • Cloud
  • Identity Management
  • Other
Data Sources
  • User Account
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1098
Created: 2020-11-17