---
title: Google Workspace unfamiliar service account changing group memberships
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Google Workspace unfamiliar service
  account changing group memberships
---

# Google Workspace unfamiliar service account changing group memberships

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1136-create-account](https://attack.mitre.org/techniques/T1136) 
## Goal{% #goal %}

Detects Google Workspace group membership or group moderation activity performed through an OAuth client key (`@actor.callerType` `KEY`), where `@actor.key` is a new value during the rule's learning window. Alerts highlight unfamiliar service credentials altering group access.

## Strategy{% #strategy %}

This rule monitors Google Workspace audit categories related to group settings and moderator actions, while restricting the actor to key-based callers and tracking new values of `@actor.key` over a configured learning period. Automated service accounts routinely sync groups; a service identity that has not appeared during baseline warrants validation against directory integrations and access-management workflows.

## Triage and response{% #triage-and-response %}

- Map `{{@actor.key}}` to the Google Cloud service account, Workspace automation, or third-party directory connector responsible for the key material.
- Review group identifiers, membership deltas, and moderator parameters in the event fields against expected provisioning jobs, access requests, or IT runbooks.
- Correlate the event time with deployment or sync schedules for group management tools and with change records for new integrations.
- Search for additional administrative or membership actions from the same `@actor.key` outside historical norms to gauge scope.