GWS - User Granted Admin Privilege
GWS Alerts Admin Privilege Grant
Query
GWSAlerts_CL
| where Source == "User Changes"
or AlertDataType endswith "UserChanges"
| where AlertType has_any ("granted Admin", "Suspended user made active")
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
Target = tostring(coalesce(AlertData.targetEmail, AlertData.userEmail))
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
Actor, Target, SecurityInvestigationToolLink, AlertDataExplanation
This query is a scheduled alert designed to detect when a user in a Google Workspace environment is granted admin privileges or when a previously suspended user account is reactivated. This activity is often associated with persistence techniques following an account takeover. Here’s a breakdown of the query:
- ID and Name: The alert is identified by a unique ID and is named "GWS - User Granted Admin Privilege."
- Description: It highlights that the alert is triggered when admin privileges are granted or a suspended user is reactivated, which can be a sign of unauthorized access.
- Severity: The alert is classified with a medium severity level.
- Status: The alert is currently available for use.
- Data Source: It requires data from the Google Workspace connector, specifically looking at "GWSAlerts_CL" data type.
- Frequency and Period: The query runs every 30 minutes and looks back over a 2-hour period.
- Trigger Conditions: The alert triggers if there is more than zero occurrences of the specified activity.
- Tactics and Techniques: It is associated with persistence and privilege escalation tactics, specifically technique T1098.003. - Query Logic: The query searches for alerts related to user changes, specifically looking for alerts where admin privileges are granted or a suspended user is reactivated. It extracts relevant information such as the actor (who made the change) and the target (whose account was affected).
- Entity Mappings: It maps the actor and target to account entities for further investigation.
- Incident Configuration: If the conditions are met, an incident is created for further investigation.
- Version and Kind: The alert is version 1.0.0 and is a scheduled type.
In simple terms, this query helps identify potentially suspicious changes in user privileges within Google Workspace, which could indicate unauthorized access or account compromise.
