Persistence: SSO Settings Changed

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

If you share your Google Workspace logs with Cloud Logging, Event Threat Detection generates findings for several Google Workspace threats. Because Google Workspace logs are at the organization level, Event Threat Detection can only scan them if you activate Security Command Center at the organization level.

Event Threat Detection enriches log events and writes findings to Security Command Center. The following table describes a Google Workspace threat finding type, the MITRE ATT&CK framework entry related to this finding, and details about the events that trigger this finding. You can also check logs using specific filters, and combine all of the information that you gather to respond to this finding.

This finding isn't available if you activate Security Command Center at the project level.

Description Actions
The SSO settings for the admin account were changed. SSO settings for your organization were changed. Verify whether the change was done intentionally by a member or if it was implemented by an adversary to introduce new access to your organization.

Check logs using the following filters:

protopayload.resource.labels.service="admin.googleapis.com"

protopayload.metadata.event.parameter.value=DOMAIN_NAME

logName="organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity

Replace the following:

  • DOMAIN_NAME: the domainName listed in the finding
  • ORGANIZATION_ID: your organization ID

Research events that trigger this finding:

What's next