Google Workspace user assigned super administrative role

Set up the gsuite integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.


Detect when a user is added to the Super administrator role on Google Workspace.


Monitor Google Workspace logs to detect ASSIGN_ROLE events where @usr.role is _SEED_ADMIN_ROLE (Super administrator).

Triage and response

  1. Verify with the Google admin ({{}}) if the Google Workspace user in the @event.parameters.USER_EMAIL attribute should legitimately be given the super admin role.
  2. If the user in @event.parameters.USER_EMAIL was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}) that made the role addition.
  3. Review activity around the Google Workspace admin who made the change ({{}}) and the newly added super admin (@event.parameters.USER_EMAIL).