Query Details
GWS Alerts Sensitive Admin SSO Change
Query
id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f04
name: GWS - Sensitive Admin Action - SSO / Super Admin Changes
description: |
A sensitive admin action was performed: primary admin changed, super admin
password reset, or SSO profile added/updated/deleted. These are high-leverage
changes that have been used in IdP-relay and persistence attacks against
Workspace tenants. (See also GCP-Pentest-Checklist - IAM persistence patterns.)
severity: High
status: Available
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
relevantTechniques:
- T1556
- T1098
- T1484.002
query: |
GWSAlerts_CL
| where Source == "Sensitive Admin Action"
or AlertDataType endswith "SensitiveAdminAction"
or AlertType has_any ("SSO profile", "Super admin password reset", "Primary admin changed")
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
Target = tostring(coalesce(AlertData.targetEmail, AlertData.target))
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
Actor, Target, SecurityInvestigationToolLink, AlertData
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Actor
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Target
- entityType: URL
fieldMappings:
- identifier: Url
columnName: SecurityInvestigationToolLink
incidentConfiguration:
createIncident: true
version: 1.0.0
kind: Scheduled
Explanation
This query is part of a security monitoring setup for Google Workspace. It is designed to detect and alert on sensitive administrative actions that could indicate potential security threats. Here's a simple breakdown:
-
Purpose: The query identifies high-risk administrative changes such as changes to the primary admin, super admin password resets, or modifications to Single Sign-On (SSO) profiles. These actions are considered sensitive because they can be exploited in attacks to gain persistent access or escalate privileges.
-
Severity: The alert generated by this query is classified as "High" severity, indicating that these actions are critical and require immediate attention.
-
Data Source: It uses data from Google Workspace alerts, specifically looking at logs related to sensitive admin actions.
-
Frequency and Period: The query runs every 10 minutes and looks back over the past hour to identify any relevant events.
-
Detection Criteria: It filters alerts where the source is "Sensitive Admin Action" or where the alert type involves SSO profile changes, super admin password resets, or primary admin changes.
-
Output: The query extracts and displays information such as the time of the alert, alert ID, severity, source, type of alert, the actor (who performed the action), the target (who was affected), and a link to a security investigation tool for further analysis.
-
Entity Mapping: It maps the actor and target to account entities and the investigation tool link to a URL entity for better integration with security tools.
-
Incident Creation: If the query finds any matching events, it will automatically create an incident for further investigation.
-
Tactics and Techniques: The query is associated with tactics like Persistence, Privilege Escalation, and Defense Evasion, and it references specific attack techniques (T1556, T1098, T1484.002) from the MITRE ATT&CK framework.
Overall, this query is a proactive measure to detect and respond to potentially malicious administrative actions within Google Workspace environments.
Details
David Alonso
Released: May 7, 2026
Tables
Keywords
Operators