google workspace admin role privileges, may be modified by system administrators.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml>sigma
technicques: t1098

Techniques

Detects when an Google Workspace user is granted admin privileges.

condition: selection
selection:
  eventName:
  - GRANT_DELEGATED_ADMIN_PRIVILEGES
  - GRANT_ADMIN_PRIVILEGE
  eventService: admin.googleapis.com