Google Workspace user unenrolled from Advanced Protection
Description
AlphaSOC detected a user unenrollment from Google Workspace Advanced Protection
via the audit event titanium_unenroll. Advanced Protection provides stronger
account defenses (e.g., physical security keys, stricter OAuth policies).
Removing a user from Advanced Protection reduces those protections, which may be
legitimate during role changes or device replacement but can also be abused to
weaken an account’s defenses.
Impact
Unenrolling a previously protected user increases susceptibility to phishing and token-based compromise. For high-risk or privileged users, this may materially increase risk of account takeover and subsequent access to sensitive data.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace user unenrolled from Advanced Protection |
Investigation and Remediation
Confirm the affected user and the actor that performed titanium_unenroll.
Validate change approvals and the stated reason (device rotation, employee
change). If the change was unauthorized, re-enroll the user, require
re-validation of device/authentication factors, and check recent account
activity for suspicious access. Establish controls requiring approvals before
unenrollment for high-risk users.