Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1136-create-account

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Google Workspace group membership or group moderation activity performed through an OAuth client key (@actor.callerType KEY), where @actor.key is a new value during the rule’s learning window. Alerts highlight unfamiliar service credentials altering group access.

Strategy

This rule monitors Google Workspace audit categories related to group settings and moderator actions, while restricting the actor to key-based callers and tracking new values of @actor.key over a configured learning period. Automated service accounts routinely sync groups; a service identity that has not appeared during baseline warrants validation against directory integrations and access-management workflows.

Triage and response

• Map {{@actor.key}} to the Google Cloud service account, Workspace automation, or third-party directory connector responsible for the key material.
• Review group identifiers, membership deltas, and moderator parameters in the event fields against expected provisioning jobs, access requests, or IT runbooks.
• Correlate the event time with deployment or sync schedules for group management tools and with change records for new integrations.
• Search for additional administrative or membership actions from the same @actor.key outside historical norms to gauge scope.