From 084711835e93f76745a8d3c154c6bfce11839c51 Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Wed, 26 Jan 2022 11:53:18 -0500 Subject: [PATCH] [DOCS] Fix links to filebeat Google Workspace module (#1441) Updates links to the [Filebeat Google Workspace module](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html) so they don't break when we change the current Stack version to 8.0. Relates to https://github.com/elastic/docs/pull/2312 # Conflicts: # docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc # docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc # docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc # docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc # docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc --- ...orkspace-mfa-enforcement-disabled.asciidoc | 71 +++++++++++++++ ...orkspace-password-policy-modified.asciidoc | 87 +++++++++++++++++++ ...for-google-workspace-organization.asciidoc | 69 +++++++++++++++ ...-added-to-google-workspace-domain.asciidoc | 71 +++++++++++++++ ...-google-workspace-trusted-domains.asciidoc | 71 +++++++++++++++ ...ace-admin-role-assigned-to-a-user.asciidoc | 82 +++++++++++++++++ ...gle-workspace-admin-role-deletion.asciidoc | 71 +++++++++++++++ ...main-wide-delegation-of-authority.asciidoc | 82 +++++++++++++++++ ...rkspace-custom-admin-role-created.asciidoc | 82 +++++++++++++++++ ...orkspace-mfa-enforcement-disabled.asciidoc | 71 +++++++++++++++ ...orkspace-password-policy-modified.asciidoc | 87 +++++++++++++++++++ ...-1-google-workspace-role-modified.asciidoc | 82 +++++++++++++++++ ...for-google-workspace-organization.asciidoc | 69 +++++++++++++++ ...-added-to-google-workspace-domain.asciidoc | 23 +++-- ...-google-workspace-trusted-domains.asciidoc | 23 +++-- ...ace-admin-role-assigned-to-a-user.asciidoc | 23 +++-- ...gle-workspace-admin-role-deletion.asciidoc | 23 +++-- ...main-wide-delegation-of-authority.asciidoc | 23 +++-- ...rkspace-custom-admin-role-created.asciidoc | 23 +++-- ...orkspace-mfa-enforcement-disabled.asciidoc | 23 +++-- ...orkspace-password-policy-modified.asciidoc | 23 +++-- .../google-workspace-role-modified.asciidoc | 23 +++-- ...for-google-workspace-organization.asciidoc | 23 +++-- 23 files changed, 1165 insertions(+), 60 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc new file mode 100644 index 0000000000..e4fda1843f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled]] +=== Google Workspace MFA Enforcement Disabled + +Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/9176657?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information. + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc new file mode 100644 index 0000000000..43412eb473 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-13-3-google-workspace-password-policy-modified]] +=== Google Workspace Password Policy Modified + +Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information. + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and + event.provider:admin and event.category:iam and + event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and + gsuite.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) or + google_workspace.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc new file mode 100644 index 0000000000..fbc9fd70e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization]] +=== MFA Disabled for Google Workspace Organization + +Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information. + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc new file mode 100644 index 0000000000..9813e3ddf0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-application-added-to-google-workspace-domain]] +=== Application Added to Google Workspace Domain + +Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6328701?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc new file mode 100644 index 0000000000..027bdc0a5c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains]] +=== Domain Added to Google Workspace Trusted Domains + +Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6160020?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..7c2385d36e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user]] +=== Google Workspace Admin Role Assigned to a User + +Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/172176?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc new file mode 100644 index 0000000000..26d2f1a43e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-google-workspace-admin-role-deletion]] +=== Google Workspace Admin Role Deletion + +Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc new file mode 100644 index 0000000000..ae43d5c0f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority]] +=== Google Workspace API Access Granted via Domain-Wide Delegation of Authority + +Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.google.com/admin-sdk/directory/v1/guides/delegation + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc new file mode 100644 index 0000000000..fad40e72f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created]] +=== Google Workspace Custom Admin Role Created + +Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc new file mode 100644 index 0000000000..0490ff1bda --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled]] +=== Google Workspace MFA Enforcement Disabled + +Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/9176657?hl=en# + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Configuration Audit + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc new file mode 100644 index 0000000000..ab2455a0b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-0-14-1-google-workspace-password-policy-modified]] +=== Google Workspace Password Policy Modified + +Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and + event.provider:admin and event.category:iam and + event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and + gsuite.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) or + google_workspace.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" + ) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc new file mode 100644 index 0000000000..d175dd11b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-0-14-1-google-workspace-role-modified]] +=== Google Workspace Role Modified + +Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/2406043?hl=en + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc new file mode 100644 index 0000000000..02b960b2c1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization]] +=== MFA Disabled for Google Workspace Organization + +Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Elastic +* Cloud +* Google Workspace +* Continuous Monitoring +* SecOps +* Identity and Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc index ca56063783..77ee702791 100644 --- a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc @@ -33,15 +33,15 @@ Detects when a Google marketplace application is added to the Google Workspace d * SecOps * Configuration Audit -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Applications can be added to a Google Workspace domain by system administrators. ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -72,6 +81,8 @@ event.action:ADD_APPLICATION [[application-added-to-google-workspace-domain-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc index a3e61e5e67..2bb9dcdc26 100644 --- a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc @@ -33,15 +33,15 @@ Detects when a domain is added to the list of trusted Google Workspace domains. * SecOps * Configuration Audit -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Trusted domains may be added by system administrators. Verify that the configura ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -72,6 +81,8 @@ event.action:ADD_TRUSTED_DOMAINS [[domain-added-to-google-workspace-trusted-domains-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc index cbbe60643c..9a477bad06 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -33,15 +33,15 @@ Detects when an admin role is assigned to a Google Workspace user. An adversary * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Google Workspace admin role assignments may be modified by system administrators ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -84,6 +93,8 @@ event.action:ASSIGN_ROLE [[google-workspace-admin-role-assigned-to-a-user-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc index 913647f046..4166221224 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc @@ -33,15 +33,15 @@ Detects when a custom admin role is deleted. An adversary may delete a custom ad * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Google Workspace admin roles may be deleted by system administrators. Verify tha ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -72,6 +81,8 @@ event.action:DELETE_ROLE [[google-workspace-admin-role-deletion-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc index b68a38140a..81133ca948 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -33,15 +33,15 @@ Detects when a domain-wide delegation of authority is granted to a service accou * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Domain-wide delegation of authority may be granted to service accounts by system ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -84,6 +93,8 @@ event.action:AUTHORIZE_API_CLIENT_ACCESS [[google-workspace-api-access-granted-via-domain-wide-delegation-of-authority-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc index 95678b75e8..80c9cea053 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc @@ -33,15 +33,15 @@ Detects when a custom admin role is created in Google Workspace. An adversary ma * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Custom Google Workspace admin roles may be created by system administrators. Ver ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -84,6 +93,8 @@ event.action:CREATE_ROLE [[google-workspace-custom-admin-role-created-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc index 01beadd713..720c8c7218 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc @@ -33,15 +33,15 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl * SecOps * Configuration Audit -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ MFA policies may be modified by system administrators. Verify that the configura ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -73,6 +82,8 @@ gsuite.admin.new_value:false [[google-workspace-mfa-enforcement-disabled-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc index e36f836aa1..d18310a387 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc @@ -29,15 +29,15 @@ Detects when a Google Workspace password policy is modified. An adversary may at * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -45,14 +45,23 @@ Password policies may be modified by system administrators. Verify that the conf ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -74,6 +83,8 @@ Management - Maximum password length" ) [[google-workspace-password-policy-modified-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc index 6e02682927..9d65a01cf5 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc @@ -33,15 +33,15 @@ Detects when a custom admin role or its permissions are modified. An adversary m * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -49,14 +49,23 @@ Google Workspace admin roles may be modified by system administrators. Verify th ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -84,6 +93,8 @@ event.action:(ADD_PRIVILEGE or UPDATE_ROLE) [[google-workspace-role-modified-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only diff --git a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc index 11bf9a32d7..9c251c85bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc @@ -29,15 +29,15 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac * SecOps * Identity and Access -*Version*: 2 (<>) +*Version*: 3 (<>) *Added ({stack} release)*: 7.11.0 -*Last modified ({stack} release)*: 7.11.2 +*Last modified ({stack} release)*: 7.12.0 *Rule authors*: Elastic -*Rule license*: Elastic License +*Rule license*: Elastic License v2 ==== Potential false positives @@ -45,14 +45,23 @@ MFA settings may be modified by system administrators. Verify that the configura ==== Investigation guide -** Important Information Regarding Google Workspace Event Lag Times + +[source, markdown, subs="attributes"] +---------------------------------- +## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + ==== Rule query @@ -69,6 +78,8 @@ ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false [[mfa-disabled-for-google-workspace-organization-history]] ==== Rule version history -Version 2 (7.11.2 release):: +Version 3 (7.12.0 release):: * Formatting only +Version 2 (7.11.2 release):: +* Formatting only