Query Details
GWS Alerts Admin Privilege Grant
Query
id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f05
name: GWS - User Granted Admin Privilege
description: |
A user was granted admin privileges or a previously suspended user was
reactivated. Common technique for persistence after account takeover.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
queryFrequency: 30m
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098.003
query: |
GWSAlerts_CL
| where Source == "User Changes"
or AlertDataType endswith "UserChanges"
| where AlertType has_any ("granted Admin", "Suspended user made active")
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
Target = tostring(coalesce(AlertData.targetEmail, AlertData.userEmail))
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
Actor, Target, SecurityInvestigationToolLink, AlertData
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Actor
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Target
incidentConfiguration:
createIncident: true
version: 1.0.0
kind: Scheduled
Explanation
This query is a scheduled alert designed to detect when a user in a Google Workspace environment is granted admin privileges or when a previously suspended user account is reactivated. This activity is often associated with persistence techniques following an account takeover. Here’s a breakdown of the query:
- ID and Name: The alert is identified by a unique ID and is named "GWS - User Granted Admin Privilege."
- Description: It highlights that the alert is triggered when admin privileges are granted or a suspended user is reactivated, which can be a sign of unauthorized access.
- Severity: The alert is classified with a medium severity level.
- Status: The alert is currently available for use.
- Data Source: It requires data from the Google Workspace connector, specifically looking at "GWSAlerts_CL" data type.
- Frequency and Period: The query runs every 30 minutes and looks back over a 2-hour period.
- Trigger Conditions: The alert triggers if there is more than zero occurrences of the specified activity.
- Tactics and Techniques: It is associated with persistence and privilege escalation tactics, specifically technique T1098.003. - Query Logic: The query searches for alerts related to user changes, specifically looking for alerts where admin privileges are granted or a suspended user is reactivated. It extracts relevant information such as the actor (who made the change) and the target (whose account was affected).
- Entity Mappings: It maps the actor and target to account entities for further investigation.
- Incident Configuration: If the conditions are met, an incident is created for further investigation.
- Version and Kind: The alert is version 1.0.0 and is a scheduled type.
In simple terms, this query helps identify potentially suspicious changes in user privileges within Google Workspace, which could indicate unauthorized access or account compromise.
Details
David Alonso
Released: May 7, 2026
Tables
GWSAlerts_CL
Keywords
UserAdminPrivilegesAccountSecurityAlertEmail
Operators
whereorendswithhas_anyextendtostringcoalesceproject