Query Details

GWS - Sensitive Admin Action - SSO / Super Admin Changes

GWS Alerts Sensitive Admin SSO Change

Query

GWSAlerts_CL
| where Source == "Sensitive Admin Action"
     or AlertDataType endswith "SensitiveAdminAction"
     or AlertType has_any ("SSO profile", "Super admin password reset", "Primary admin changed")
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
         Target = tostring(coalesce(AlertData.targetEmail, AlertData.target))
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
          Actor, Target, SecurityInvestigationToolLink, AlertData

Explanation

This query is part of a security monitoring setup for Google Workspace. It is designed to detect and alert on sensitive administrative actions that could indicate potential security threats. Here's a simple breakdown:

  • Purpose: The query identifies high-risk administrative changes such as changes to the primary admin, super admin password resets, or modifications to Single Sign-On (SSO) profiles. These actions are considered sensitive because they can be exploited in attacks to gain persistent access or escalate privileges.

  • Severity: The alert generated by this query is classified as "High" severity, indicating that these actions are critical and require immediate attention.

  • Data Source: It uses data from Google Workspace alerts, specifically looking at logs related to sensitive admin actions.

  • Frequency and Period: The query runs every 10 minutes and looks back over the past hour to identify any relevant events.

  • Detection Criteria: It filters alerts where the source is "Sensitive Admin Action" or where the alert type involves SSO profile changes, super admin password resets, or primary admin changes.

  • Output: The query extracts and displays information such as the time of the alert, alert ID, severity, source, type of alert, the actor (who performed the action), the target (who was affected), and a link to a security investigation tool for further analysis.

  • Entity Mapping: It maps the actor and target to account entities and the investigation tool link to a URL entity for better integration with security tools.

  • Incident Creation: If the query finds any matching events, it will automatically create an incident for further investigation.

  • Tactics and Techniques: The query is associated with tactics like Persistence, Privilege Escalation, and Defense Evasion, and it references specific attack techniques (T1556, T1098, T1484.002) from the MITRE ATT&CK framework.

Overall, this query is a proactive measure to detect and respond to potentially malicious administrative actions within Google Workspace environments.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceDefinitionGWSAlerts_CLAlertDataActorTargetSecurityInvestigationToolLinkAccountURL

Operators

whereorendswithhas_anyextendtostringcoalesceproject

Severity

High

Tactics

PersistencePrivilegeEscalationDefenseEvasion

MITRE Techniques

Frequency: 10m

Period: 1h

Actions

GitHub