google workspace admin roles may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1531
google_workspace
elastic

Techniques

T1531

Sample rules

Google Workspace Admin Role Deletion

source: elastic
technicques:
- T1531

Description

Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.

Detection logic

event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE