Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.
Sigma rule (View on GitHub)
1title: Google Workspace User Granted Admin Privileges
2id: 2d1b83e4-17c6-4896-a37b-29140b40a788
3status: test
4description: Detects when an Google Workspace user is granted admin privileges.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
7 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
8author: Austin Songer
9date: 2021/08/23
10modified: 2023/10/11
11tags:
12 - attack.persistence
13 - attack.t1098
14logsource:
15 product: gcp
16 service: google_workspace.admin
17detection:
18 selection:
19 eventService: admin.googleapis.com
20 eventName:
21 - GRANT_DELEGATED_ADMIN_PRIVILEGES
22 - GRANT_ADMIN_PRIVILEGE
23 condition: selection
24falsepositives:
25 - Google Workspace admin role privileges, may be modified by system administrators.
26level: medium
References
Related rules
- AWS IAM Backdoor Users Keys
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Change to Authentication Method
- Google Workspace Granted Domain API Access