Google Workspace user assigned administrative role

Set up the gsuite integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user is added to an administrator role on Google Workspace.

Strategy

Monitor Google Workspace logs to detect ASSIGN_ROLE events where @usr.role has the suffix _ADMIN_ROLE.

Triage and response

  1. Verify with the Google admin ({{@usr.email}}) if the Google Workspace user ({{@event.parameters.USER_EMAIL}}) should legitimately be given the admin role.
  2. If the user ({{@event.parameters.USER_EMAIL}}) was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}) that made the role addition.
  3. Review activity around the Google Workspace admin who made the change ({{@usr.email}}) and the newly added admin ({{@event.parameters.USER_EMAIL}}).
PREVIEWING: rtrieu/product-analytics-ui-changes