heroui logo

Google Workspace Admin Role Assigned to a User

Elastic Detection Rules

View Source
Summary
This detection rule identifies instances where an administrative role is assigned to a user within Google Workspace, triggering a potential security concern regarding unauthorized access and privilege escalation. By assigning an administrative role, a user gains access to the Google Admin console and various management capabilities across the organization's resources, which could be exploited by an attacker for persistence or lateral movement. Therefore, the rule is crucial for monitoring and validating role assignments to ensure they adhere to organizational security policies and the principle of least privilege. The rule is configured to trigger alerts when specific events related to administrative role assignment are logged in Google Workspace, enabling security teams to investigate and respond to any suspicious activities. Key investigation steps include verifying the user and role associated with the event, assessing the legitimacy of the role assignment, and ensuring no unauthorized changes have been made to the administrative settings of the organization. Overall, this rule plays an essential role in maintaining the security posture of Google Workspace environments against insider threats and external attackers.
Categories
  • Cloud
  • Identity Management
  • Other
Data Sources
  • User Account
  • Logon Session
  • Cloud Service
ATT&CK Techniques
  • T1098
  • T1098.003
Created: 2020-11-17