Google Workspace OAuth key performing account creation or security changes

This rule is part of a beta feature. To learn more, contact Support.
gsuite

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1078-valid-accounts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects Google Workspace administrative actions, such as user creation, role assignment, admin privilege grants, user unsuspension, password changes or resets, and recovery contact or secret edits, when the caller is an OAuth client key.

Strategy

This rule monitors Google Workspace audit activity where @actor.callerType is KEY and @evt.name matches user security change events. Programmatic keys are expected for some automation; the same authentication path can perform sensitive identity and recovery changes without an interactive admin session.

Triage and response

  • Examine @actor.key and map it to the OAuth client, Cloud project, or internal job that is authorized to call Admin SDK or Directory APIs.
  • Review @network.client.ip, geolocation, and related session context when present, and compare the timestamp to deployment, provisioning, or maintenance windows for that integration.
  • Identify affected users and resources from event parameters (for example, target user email, role, or group fields) and confirm each change against change tickets or identity governance records.
  • Correlate other signals from the same @actor.key in the surrounding hours for breadth of impact across accounts, groups, or security settings.
  • Validate that the client’s granted scopes and Workspace admin roles still align with least privilege for the automation’s documented purpose.