KQL Search

Query Details

GWS Alerts Admin Persistence Cluster

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a04
name: GWS Alerts - SSO / Admin Persistence Cluster
description: |
  Cluster of admin-persistence-related alerts within a 24-hour window per actor:
  SSO profile changes, super-admin password resets, primary admin changes,
  privilege grants. Detects the classic IdP-relay / golden-account pattern from
  the GCP Pentest Checklist (Workspace persistence).
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - Persistence
  - PrivilegeEscalation
relevantTechniques:
  - T1098
  - T1556
  - T1484.002
query: |
  GWSAlerts_CL
  | where TimeGenerated > ago(14d)
  | where Source in ("Sensitive Admin Action", "User Changes")
       or AlertType has_any ("SSO profile", "Super admin password reset",
                             "Primary admin changed", "granted Admin")
  | extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email))
  | summarize DistinctTypes = dcount(AlertType),
              AlertTypes = make_set(AlertType, 50),
              FirstSeen = min(TimeGenerated),
              LastSeen = max(TimeGenerated),
              AlertCount = count()
              by bin(TimeGenerated, 1d), Actor
  | where DistinctTypes >= 2
  | order by AlertCount desc
tags:
  - GoogleWorkspace
  - Persistence
  - GCPPentestChecklist

Explanation

This KQL query is designed to identify suspicious activity related to admin persistence in Google Workspace. It focuses on detecting patterns that might indicate unauthorized access or privilege escalation by analyzing alerts over a 14-day period. Here's a simplified breakdown:

  1. Data Source: The query uses data from Google Workspace alerts.

  2. Time Frame: It examines alerts generated in the last 14 days.

  3. Alert Types: It filters for specific alert types, including sensitive admin actions, user changes, SSO profile changes, super admin password resets, primary admin changes, and admin privilege grants.

  4. Actor Identification: It identifies the actor (user) involved in these alerts.

  5. Summary Statistics: For each actor, it calculates:

    • The number of distinct alert types.
    • A list of alert types encountered.
    • The first and last time these alerts were seen.
    • The total count of alerts.

  6. Suspicious Activity Detection: It highlights actors involved in at least two different types of alerts, suggesting potential persistence or privilege escalation attempts.

  7. Ordering: Results are ordered by the number of alerts, with the most active actors listed first.

Overall, this query helps identify potential security threats by clustering related admin persistence alerts and focusing on actors with diverse alert activities.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsTimeGeneratedSourceAlertTypeActorAlertDataEmail

Operators

whereagoinhas_anyextendtostringcoalescesummarizedcountmake_setminmaxcountbinorder by

Actions