Google Workspace user assigned administrative role
Set up the gsuite integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a user is added to an administrator role on Google Workspace.
Strategy
Monitor Google Workspace logs to detect ASSIGN_ROLE
events where @usr.role
has the suffix _ADMIN_ROLE
.
Triage and response
- Verify with the Google admin (
{{@usr.email}}
) if the Google Workspace user ({{@event.parameters.USER_EMAIL}}
) should legitimately be given the admin role. - If the user (
{{@event.parameters.USER_EMAIL}}
) was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}
) that made the role addition. - Review activity around the Google Workspace admin who made the change (
{{@usr.email}}
) and the newly added admin ({{@event.parameters.USER_EMAIL}}
).