Google Workspace admin role created

gsuite

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gsuite integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Create a signal when Google Workspace detects a new Google Workspace administrative role.

Strategy

Monitor Google Workspace logs to detect CREATE_ROLE events.

Triage and response

  1. Determine if there is a legitimate reason for the new administrator role (@event.parameters.ROLE_NAME).
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP that created the role ({{@network.client.ip}}).

Changelog

  • 17 October 2022 - Updated tags.