From 0fe2b3f5695a2ca9b1bb5d2dd0cd478555f810c0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Mon, 23 Aug 2021 19:52:32 -0500 Subject: [PATCH] Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml --- ....yml => gworkspace_user_granted_admin_privileges.yml} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename rules/cloud/gworkspace/{gworkspace_user_assigned_admin_role.yml => gworkspace_user_granted_admin_privileges.yml} (51%) diff --git a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml similarity index 51% rename from rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml rename to rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 09cfcc4f5..39d05f14f 100644 --- a/rules/cloud/gworkspace/gworkspace_user_assigned_admin_role.yml +++ b/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -1,21 +1,22 @@ -title: Google Workspace User Assigned Admin Role +title: Google Workspace User Granted Admin Privileges id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an admin role is assigned to a Google Workspace user. +description: Detects when an Google Workspace user is granted admin privileges. author: Austin Songer status: experimental date: 2021/08/23 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE logsource: service: google_workspace.admin detection: selection: eventService: admin.googleapis.com - admin.alert.name: google.admin.AdminService.grantAdminPrivilege + eventName: GRANT_ADMIN_PRIVILEGE condition: selection level: medium tags: - attack.persistence - attack.t1098 falsepositives: - - Google Workspace admin role assigned, may be modified by system administrators. + - Google Workspace admin role privileges, may be modified by system administrators.