Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated bythreat detectorswhen they detect
a potential threat in your cloud resources. For a full list of available threat findings, seeThreat findings index.
Overview
If you share your Google Workspace logs with Cloud Logging,
Event Threat Detection generates findings for several Google Workspace
threats. Because Google Workspace logs are at the organization level,
Event Threat Detection can only scan them if you activate Security Command Center
at the organization level.
Event Threat Detection enriches log events and writes findings to
Security Command Center. The following table describes a Google Workspace
threat finding type, theMITRE ATT&CK frameworkentry related to this finding, and details about the
events that trigger this finding. You can also check logs using specific filters,
and combine all of the information that you gather to respond to this finding.
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
This finding isn't available if you activate Security Command Center at the project
level.
Description
Actions
A member's account is disabled because a password leak was
detected.
Reset passwords for affected accounts, and advise members to
use strong, unique passwords for corporate accounts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-08 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\n\nIf you share your Google Workspace logs with Cloud Logging,\nEvent Threat Detection generates findings for several Google Workspace\nthreats. Because Google Workspace logs are at the organization level,\nEvent Threat Detection can only scan them if you activate Security Command Center\nat the organization level.\n\n\nEvent Threat Detection enriches log events and writes findings to\nSecurity Command Center. The following table describes a Google Workspace\nthreat finding type, the [MITRE ATT\\&CK framework](https://attack.mitre.org/)\nentry related to this finding, and details about the\nevents that trigger this finding. You can also check logs using specific filters,\nand combine all of the information that you gather to respond to this finding.\n\n\u003cbr /\u003e\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\nThis finding isn't available if you activate Security Command Center at the project\nlevel.\n\n| Description | Actions ||\n|----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| A member's account is disabled because a password leak was detected. | Reset passwords for affected accounts, and advise members to use strong, unique passwords for corporate accounts. | **Check logs using the following filters:** `protopayload.resource.labels.service=\"login.googleapis.com\"` `logName=\"organizations/`\u003cvar class=\"edit\" translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e`/logs/cloudaudit.googleapis.com%2Fdata_access` Replace `ORGANIZATION_ID` with your organization ID. |\n| A member's account is disabled because a password leak was detected. | Reset passwords for affected accounts, and advise members to use strong, unique passwords for corporate accounts. | **Research events that trigger this finding:** - **MITRE:** \u003chttps://attack.mitre.org/techniques/T1078/\u003e - **Workspace event details:** \u003chttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\u003e |\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
