Google Workspace User Organizational Unit Changededit

Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-google_workspace*

Severity: low

Risk score: 21

Runs every: 10 minutes

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Cloud
  • Google Workspace
  • Continuous Monitoring
  • SecOps
  • Configuration Audit
  • Persistence

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.

Investigation guideedit

### Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information:

Rule queryedit

event.dataset:"google_workspace.admin" and event.type:change and
event.category:iam and google_workspace.event.type:"USER_SETTINGS"
and event.action:"MOVE_USER_TO_ORG_UNIT"

Threat mappingedit