<  Back to rules search

Google Workspace user assigned to super admin role

gsuite

Classification:

attack

Tactic:

Technique:

Set up the gsuite integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user is added to the super administrator group on Google Workspace.

Strategy

Monitor Google Workspace logs to detect ASSIGN_ROLE events where @event.parameters.ROLE_NAME is _SEED_ADMIN_ROLE.

Triage and response

  1. Verify with the Google admin ({{@usr.email}}) if the Google Workspace user in the @event.parameters.USER_EMAIL attribute should legitimately be given the super admin role.
  2. If the user in @event.parameters.USER_EMAIL was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}) that made the role addition.
  3. Review activity around the Google Workspace admin who made the change ({{@usr.email}}) and the newly added super admin (@event.parameters.USER_EMAIL).