[Rule Tuning] Google Workspace Admin Role Assigned to a User

[buzzdeee]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

Currently, the query of the rule limits itself to:
google_workspace.admin.role.name : *_ADMIN_ROLE

But at least custom GWS roles may have arbitrary names, which the rule would not catch.

Given the name of the rule and its description, it should catch assignments to any GWS Admin role.

Additionally to that, there is the default "_SEED_ADMIN_ROLE", a.k.a. the "Super Admin" role.

This Super Admin role is especially critical, because:

• it's the only role, where members are allowed to manage other admin roles and members
• members of that role have implicit Super Admin/Owner rights of the organizations Google Cloud Account

Therefore suggest the following changes:

• change the query to: google_workspace.admin.role.name : * <- or omit this part all together
• change the default severity of the rule to low or medium
  • since only _SEED_ADMIN_ROLE members are the only ones allowed to do so
    • yes, the acting admin account might be hacked, or there might be an insider threat
• use severity override, and change this to critical when: google_workspace.admin.role.name : _SEED_ADMIN_ROLE

Example Data

...
    "google_workspace.admin.role.name": [
      "My Custom Super Admin role"
    ],
...