Privilege Escalation: External Member Added To Privileged Group
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
This finding isn't available for project-level activations.
Open a Privilege Escalation: External Member Added To Privileged Group
finding, as directed in Reviewing findings.
The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email: the account that made the changes.
Affected resource
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
In the detail panel, click the JSON tab.
In the JSON, note the following fields.
groupName: the Google Group where the changes were made
externalMember: the newly added external member
sensitiveRoles: the sensitive roles associated with this group
If the newly added external member should not be in this group, click
the checkbox next to the members name, and then select
remove_circle_outlineRemove member or
not_interestedBan member.
To remove or members, you must be a Google Workspace Admin, or assigned
the Owner or Manager role in the Google Group. For more information,
see Assign roles to a group's members.
Step 3: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
If necessary, select your project.
On the page that loads, check logs for Google Group membership changes
using the following filters:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-10 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nThis finding isn't available for project-level activations.\n\nAn external member was added to a privileged Google Group (a group\ngranted [sensitive roles or permissions](/security-command-center/docs/concepts-event-threat-detection-overview#sensitive_roles)).\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open a `Privilege Escalation: External Member Added To Privileged Group`\n finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email**: the account that made the changes.\n - **Affected resource**\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. In the detail panel, click the **JSON** tab.\n\n4. In the JSON, note the following fields.\n\n - `groupName`: the Google Group where the changes were made\n - `externalMember`: the newly added external member\n - `sensitiveRoles`: the sensitive roles associated with this group\n\nStep 2: Review group members\n\n1. Go to Google Groups.\n\n [Go to Google Groups](https://groups.google.com)\n2. Click the name of the group you want to review.\n\n3. In the navigation menu, click **Members**.\n\n4. If the newly added external member should not be in this group, click\n the checkbox next to the members name, and then select\n remove_circle_outline **Remove member** or\n not_interested **Ban member**.\n\n To remove or members, you must be a Google Workspace Admin, or assigned\n the **Owner** or **Manager** role in the Google Group. For more information,\n see [Assign roles to a group's members](https://support.google.com/a/answer/167094).\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. If necessary, select your project.\n\n3. On the page that loads, check logs for Google Group membership changes\n using the following filters:\n\n - `protoPayload.methodName=\"google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eprincipalEmail\u003c/var\u003e`\"`\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
