Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.
Sigma rule (View on GitHub)
1title: Google Workspace User Granted Admin Privileges
2id: 2d1b83e4-17c6-4896-a37b-29140b40a788
3status: test
4description: Detects when an Google Workspace user is granted admin privileges.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
8author: Austin Songer
9date: 2021-08-23
10modified: 2023-10-11
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1098
15logsource:
16 product: gcp
17 service: google_workspace.admin
18detection:
19 selection:
20 eventService: admin.googleapis.com
21 eventName:
22 - GRANT_DELEGATED_ADMIN_PRIVILEGES
23 - GRANT_ADMIN_PRIVILEGE
24 condition: selection
25falsepositives:
26 - Google Workspace admin role privileges, may be modified by system administrators.
27level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
Admin Audit Activity Events - User Settings Stay organized with collections Save and categorize content based on your preferences. This document lists the events and parameters for User Settings Ad...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys