Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
Sigma rule (View on GitHub)
1title: Google Workspace Role Modified or Deleted
2id: 6aef64e3-60c6-4782-8db3-8448759c714e
3status: test
4description: Detects when an a role is modified or deleted in Google Workspace.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
8author: Austin Songer
9date: 2021-08-24
10modified: 2023-10-11
11tags:
12 - attack.impact
13logsource:
14 product: gcp
15 service: google_workspace.admin
16detection:
17 selection:
18 eventService: admin.googleapis.com
19 eventName:
20 - DELETE_ROLE
21 - RENAME_ROLE
22 - UPDATE_ROLE
23 condition: selection
24falsepositives:
25 - Unknown
26
27level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
Admin Audit Activity Events - Delegated Admin Settings Stay organized with collections Save and categorize content based on your preferences. Except as otherwise noted, the content of this page is ...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted