---
title: Google Workspace OAuth key performing account creation or security changes
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace OAuth key performing
  account creation or security changes
---

# Google Workspace OAuth key performing account creation or security changes

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detects Google Workspace administrative actions, such as user creation, role assignment, admin privilege grants, user unsuspension, password changes or resets, and recovery contact or secret edits, when the caller is an OAuth client key.

## Strategy{% #strategy %}

This rule monitors Google Workspace audit activity where `@actor.callerType` is `KEY` and `@evt.name` matches user security change events. Programmatic keys are expected for some automation; the same authentication path can perform sensitive identity and recovery changes without an interactive admin session.

## Triage and response{% #triage-and-response %}

- Examine `@actor.key` and map it to the OAuth client, Cloud project, or internal job that is authorized to call Admin SDK or Directory APIs.
- Review `@network.client.ip`, geolocation, and related session context when present, and compare the timestamp to deployment, provisioning, or maintenance windows for that integration.
- Identify affected users and resources from event parameters (for example, target user email, role, or group fields) and confirm each change against change tickets or identity governance records.
- Correlate other signals from the same `@actor.key` in the surrounding hours for breadth of impact across accounts, groups, or security settings.
- Validate that the client's granted scopes and Workspace admin roles still align with least privilege for the automation's documented purpose.