<  Back to rules search

Google Workspace admin role created

gsuite

Classification:

attack

Tactic:

Technique:

Set up the gsuite integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Create a signal when Google Workspace detects a new Google Workspace administrative role.

Strategy

Monitor Google Workspace logs to detect CREATE_ROLE events.

Triage and response

  1. Determine if there is a legitimate reason for the new administrator role (@event.parameters.ROLE_NAME).
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP that created the role ({{@network.client.ip}}).

Changelog

  • 17 October 2022 - Updated tags.