Google Workspace admin role created
Description
AlphaSOC detected an audit event CREATE_ROLE indicating a new admin role was
created. Creating custom admin roles allows granting collections of elevated
privileges without using the built-in admin role. While often legitimate,
adversaries and insiders may create roles to persist elevated privileges or to
evade detection by assigning narrowly scoped but powerful permissions.
Impact
Unauthorized creation of admin roles can enable privilege escalation, persistent access to sensitive settings and data, and abuse of delegated permissions to perform actions (e.g., user management, data exports) without clear attribution to an existing admin account.
Severity
| Severity | Condition |
|---|---|
Low | Google Workspace admin role created |
Investigation and Remediation
Review the CREATE_ROLE event details in the audit logs to identify the
creator, role name, and assigned privileges. Validate the change with the
organization's admin owners and check for concurrent suspicious activity (new
service accounts, role assignments, or unusual admin logins). If the role is
unauthorized, remove the role, revoke any privileges granted, rotate affected
admin credentials, and audit role assignment history.
Known False Positives
- Legitimate role creation during onboarding or role refactoring.