Google Workspace device compromised
Description
AlphaSOC detected an audit event DEVICE_COMPROMISED_EVENT with
DEVICE_COMPROMISED_STATE equal to COMPROMISED. This indicates Google has
reported a device associated with an account as compromised.
Impact
A compromised device may allow an attacker to access user credentials, authenticated sessions, and organizational resources associated with the affected account. This can result in unauthorized access to cloud services, data exfiltration, persistence within the environment, and the ability to bypass or abuse device-based authentication and MFA trust mechanisms.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace device compromised |
Investigation and Remediation
Review device telemetry, endpoint detection logs, and Google device management records to identify the affected device, user, and recent activity. Isolate the device, collect forensic artifacts, and perform malware scans and full reimaging as appropriate. Rotate credentials used on the device and revoke sessions or tokens. Review conditional access and device posture policies to reduce risk and require device remediation before re-enrollment.