Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=google-workspace-cases

Google Workspace integration case studies

API Productivity

The Sophos MDR team escalated the following case for a Google Workspace detection.

The case

On 10/9/2023, Sophos was alerted to detection XDR-google-workspace-Valid-Accounts due to internal entity marta@redacted.uk showing suspicious activity, causing the account to be suspended. This detection triggers for the possible activity of an adversary trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. After further review, we have provided recommendations moving forward with this case.

Recommendations

  • Verify login activity of end user marta@redacted.uk.
  • Change end user password.
  • Notify MDR of all findings and actions.

Customer Response

Hi Jay, just to keep you updated, the user's account has been auto-suspended by Darktrace SAAS. I've reset the user's password and further disabled their AD account as well. From investigations internally i have suspicions to believe this user may no longer work for the company, given a deactivated profile on our internal Workplace by Meta, however I am unable to find any leaver requests from our HR or service desk for the user.

We will continue to investigate internally and let you know as soon as we have more information to feed back.