Skip to content

Latest commit

 

History

History
104 lines (81 loc) · 2.9 KB

2.02.md

File metadata and controls

104 lines (81 loc) · 2.9 KB

2.02 - User added to highly-privileged Google Group

A user member added via Admin Service (Admin Console or Directory API) to a highly-privileged Google Group (e.g. admin@example.com) thereby acquiring high level of access

Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Workspace Admin Audit

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

As Google Workspace administrator, add test user to admin Google Group using Admin Console. Note lag time of Groups Audit Logs can be tens of minutes.

Test Prerequisites

  1. Enable Workspace Audit Logs forwarding to Cloud Audit Logs

Sample Event

google.admin.AdminService.addGroupMember

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "admin@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "admin.googleapis.com",
    "methodName": "google.admin.AdminService.addGroupMember",
    "resourceName": "organizations/123/groupSettings",
    "metadata": {
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "activityId": {
        "timeUsec": "1647987178916000",
        "uniqQualifier": "-8614641986436885296"
      },
      "event": [
        {
          "eventName": "ADD_GROUP_MEMBER",
          "eventType": "GROUP_SETTINGS",
          "parameter": [
            {
              "label": "LABEL_OPTIONAL",
              "value": "test-user@example.com",
              "type": "TYPE_STRING",
              "name": "USER_EMAIL"
            },
            {
              "type": "TYPE_STRING",
              "value": "admins@example.com",
              "label": "LABEL_OPTIONAL",
              "name": "GROUP_EMAIL"
            }
          ]
        }
      ]
    }
  },
  "insertId": "285djodxlmu",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "admin.googleapis.com",
      "method": "google.admin.AdminService.addGroupMember"
    }
  },
  "timestamp": "2022-03-22T22:12:58.916Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2022-03-22T22:12:59.439766009Z"
}

References