Google Workspace user assigned super administrative role

Set up the gsuite integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user is added to the Super administrator role on Google Workspace.

Strategy

Monitor Google Workspace logs to detect ASSIGN_ROLE events where @usr.role is _SEED_ADMIN_ROLE (Super administrator).

Triage and response

  1. Verify with the Google admin ({{@usr.email}}) if the Google Workspace user ({{@event.parameters.USER_EMAIL}}) should legitimately be given the super admin role.
  2. If the user ({{@event.parameters.USER_EMAIL}}) was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}) that made the role addition.
  3. Review activity around the Google Workspace admin who made the change ({{@usr.email}}) and the newly added super admin ({{@event.parameters.USER_EMAIL}}).