Admin privileges were granted to a Google Workspace user

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

Admin privileges were granted to a Google Workspace user. This user now has access to additional administrative functions and settings.

Attacker's Goals

Gain access to sensitive data stored in Google Workspace. Manipulate or delete data stored in Google Workspace. Gain access to privileged features in Google Workspace.

Investigative actions

  • Check which Google Workspace user was granted the admin privileges.
  • Check if the user is authorized to be granted such privileges.
  • Review the audit logs to determine the actions taken by the user.