Create gworkspace_granted_domain_api_access.yml
This commit is contained in:
Austin Songer
@@ -0,0 +1,23 @@
|
||||
title: Google Workspace Granted Domain API Access
|
||||
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
|
||||
description: Detects when an API access service account is granted domain authority.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
date: 2021/08/23
|
||||
references:
|
||||
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
|
||||
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#AUTHORIZE_API_CLIENT_ACCESS
|
||||
logsource:
|
||||
service: google_workspace.admin
|
||||
detection:
|
||||
selection:
|
||||
eventService: admin.googleapis.com
|
||||
eventName: AUTHORIZE_API_CLIENT_ACCESS
|
||||
condition: selection
|
||||
level: medium
|
||||
tags:
|
||||
- attack.persistence
|
||||
- atack.t1098
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
Reference in New Issue
Block a user