Google Workspace User Granted Admin Privileges

 1title: Google Workspace User Granted Admin Privileges
 2id: 2d1b83e4-17c6-4896-a37b-29140b40a788
 3status: test
 4description: Detects when an Google Workspace user is granted admin privileges.
 5references:
 6    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
 7    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
 8author: Austin Songer
 9date: 2021/08/23
10modified: 2023/10/11
11tags:
12    - attack.persistence
13    - attack.t1098
14logsource:
15    product: gcp
16    service: google_workspace.admin
17detection:
18    selection:
19        eventService: admin.googleapis.com
20        eventName:
21            - GRANT_DELEGATED_ADMIN_PRIVILEGES
22            - GRANT_ADMIN_PRIVILEGE
23    condition: selection
24falsepositives:
25    - Google Workspace admin role privileges, may be modified by system administrators.
26level: medium

References

• Audit logs for Google Workspace  |  Cloud Logging  |  Google Cloud

  

  This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...

  
  Read More

• Admin Audit Activity Events - User Settings  |  Admin console  |  Google for Developers

  

  This document lists the events and parameters for User Settings Admin Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=admin. User Settings Eve...

  
  Read More

Related rules

• AWS IAM Backdoor Users Keys
• AWS Route 53 Domain Transfer Lock Disabled
• AWS Route 53 Domain Transferred to Another Account
• Change to Authentication Method
• Google Workspace Granted Domain API Access