custom google workspace admin roles may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1098
google_workspace
elastic

Techniques

T1098

Sample rules

Google Workspace Custom Admin Role Created

source: elastic
technicques:
- T1098

Description

Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.

Detection logic

event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE