Open
Description
Link to Rule
Rule Tuning Type
False Negatives - Enhancing detection of true threats that were previously missed.
Description
Currently, the query of the rule limits itself to:
google_workspace.admin.role.name : *_ADMIN_ROLE
But at least custom GWS roles may have arbitrary names, which the rule would not catch.
Given the name of the rule and its description, it should catch assignments to any GWS Admin role.
Additionally to that, there is the default "_SEED_ADMIN_ROLE", a.k.a. the "Super Admin" role.
This Super Admin role is especially critical, because:
- it's the only role, where members are allowed to manage other admin roles and members
- members of that role have implicit Super Admin/Owner rights of the organizations Google Cloud Account
Therefore suggest the following changes:
- change the query to: google_workspace.admin.role.name : * <- or omit this part all together
- change the default severity of the rule to low or medium
- since only _SEED_ADMIN_ROLE members are the only ones allowed to do so
- yes, the acting admin account might be hacked, or there might be an insider threat
- since only _SEED_ADMIN_ROLE members are the only ones allowed to do so
- use severity override, and change this to critical when: google_workspace.admin.role.name : _SEED_ADMIN_ROLE
Example Data
...
"google_workspace.admin.role.name": [
"My Custom Super Admin role"
],
...