Google Workspace user assigned administrative role
Set up the gsuite integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user is added to an administrator role on Google Workspace.
Strategy
Monitor Google Workspace logs to detect ASSIGN_ROLE
events where @usr.role
has the suffix _ADMIN_ROLE
.
Triage and response
- Verify with the Google admin (
{{@usr.email}}
) if the Google Workspace user ({{@event.parameters.USER_EMAIL}}
) should legitimately be given the admin role. - If the user (
{{@event.parameters.USER_EMAIL}}
) was not legitimately added, investigate activity from the IP address ({{@network.client.ip}}
) that made the role addition. - Review activity around the Google Workspace admin who made the change (
{{@usr.email}}
) and the newly added admin ({{@event.parameters.USER_EMAIL}}
).