Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml
This commit is contained in:
Austin Songer
+5
-4
@@ -1,21 +1,22 @@
|
||||
title: Google Workspace User Assigned Admin Role
|
||||
title: Google Workspace User Granted Admin Privileges
|
||||
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
|
||||
description: Detects when an admin role is assigned to a Google Workspace user.
|
||||
description: Detects when an Google Workspace user is granted admin privileges.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
date: 2021/08/23
|
||||
references:
|
||||
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
|
||||
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
|
||||
logsource:
|
||||
service: google_workspace.admin
|
||||
detection:
|
||||
selection:
|
||||
eventService: admin.googleapis.com
|
||||
admin.alert.name: google.admin.AdminService.grantAdminPrivilege
|
||||
eventName: GRANT_ADMIN_PRIVILEGE
|
||||
condition: selection
|
||||
level: medium
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1098
|
||||
falsepositives:
|
||||
- Google Workspace admin role assigned, may be modified by system administrators.
|
||||
- Google Workspace admin role privileges, may be modified by system administrators.
|
||||
Reference in New Issue
Block a user