Query Details

GWS - User Granted Admin Privilege

GWS Alerts Admin Privilege Grant

Query

GWSAlerts_CL
| where Source == "User Changes"
     or AlertDataType endswith "UserChanges"
| where AlertType has_any ("granted Admin", "Suspended user made active")
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
         Target = tostring(coalesce(AlertData.targetEmail, AlertData.userEmail))
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
          Actor, Target, SecurityInvestigationToolLink, AlertData

Explanation

This query is a scheduled alert designed to detect when a user in a Google Workspace environment is granted admin privileges or when a previously suspended user account is reactivated. This activity is often associated with persistence techniques following an account takeover. Here’s a breakdown of the query:

  • ID and Name: The alert is identified by a unique ID and is named "GWS - User Granted Admin Privilege."
  • Description: It highlights that the alert is triggered when admin privileges are granted or a suspended user is reactivated, which can be a sign of unauthorized access.
  • Severity: The alert is classified with a medium severity level.
  • Status: The alert is currently available for use.
  • Data Source: It requires data from the Google Workspace connector, specifically looking at "GWSAlerts_CL" data type.
  • Frequency and Period: The query runs every 30 minutes and looks back over a 2-hour period.
  • Trigger Conditions: The alert triggers if there is more than zero occurrences of the specified activity.
  • Tactics and Techniques: It is associated with persistence and privilege escalation tactics, specifically technique T1098.003. - Query Logic: The query searches for alerts related to user changes, specifically looking for alerts where admin privileges are granted or a suspended user is reactivated. It extracts relevant information such as the actor (who made the change) and the target (whose account was affected).
  • Entity Mappings: It maps the actor and target to account entities for further investigation.
  • Incident Configuration: If the conditions are met, an incident is created for further investigation.
  • Version and Kind: The alert is version 1.0.0 and is a scheduled type.

In simple terms, this query helps identify potentially suspicious changes in user privileges within Google Workspace, which could indicate unauthorized access or account compromise.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

UserAdminPrivilegesAccountSecurityAlertEmail

Operators

whereorendswithhas_anyextendtostringcoalesceproject

Severity

Medium

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Frequency: 30m

Period: 2h

Actions

GitHub