A user member added via Admin Service (Admin Console or Directory API) to a highly-privileged Google Group (e.g. admin@example.com) thereby acquiring high level of access
Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Workspace Admin Audit
BigQuery | Log Analytics | Google SecOps |
---|---|---|
SQL | SQL | Contribute rule |
As Google Workspace administrator, add test user to admin
Google Group using Admin Console.
Note lag time of Groups Audit Logs can be tens of minutes.
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "admin@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {
},
"destinationAttributes": {
}
},
"serviceName": "admin.googleapis.com",
"methodName": "google.admin.AdminService.addGroupMember",
"resourceName": "organizations/123/groupSettings",
"metadata": {
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
"activityId": {
"timeUsec": "1647987178916000",
"uniqQualifier": "-8614641986436885296"
},
"event": [
{
"eventName": "ADD_GROUP_MEMBER",
"eventType": "GROUP_SETTINGS",
"parameter": [
{
"label": "LABEL_OPTIONAL",
"value": "test-user@example.com",
"type": "TYPE_STRING",
"name": "USER_EMAIL"
},
{
"type": "TYPE_STRING",
"value": "admins@example.com",
"label": "LABEL_OPTIONAL",
"name": "GROUP_EMAIL"
}
]
}
]
}
},
"insertId": "285djodxlmu",
"resource": {
"type": "audited_resource",
"labels": {
"service": "admin.googleapis.com",
"method": "google.admin.AdminService.addGroupMember"
}
},
"timestamp": "2022-03-22T22:12:58.916Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2022-03-22T22:12:59.439766009Z"
}