From 23626b814c97c75126e487c0980bcb2bdbcd7582 Mon Sep 17 00:00:00 2001 From: David French <56409778+threat-punter@users.noreply.github.com> Date: Wed, 21 Jul 2021 11:38:43 -0600 Subject: [PATCH] [Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374) * use google_workspace event schema * update to use google_workspace schema --- .../google_workspace_mfa_enforcement_disabled.toml | 4 ++-- .../google_workspace_policy_modified.toml | 10 +++++++++- ...mfa_disabled_for_google_workspace_organization.toml | 4 ++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml index e3425b9b4..238657064 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/21" [rule] author = ["Elastic"] @@ -42,6 +42,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) ''' diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/google-workspace/google_workspace_policy_modified.toml index 82d866fc3..40f32e080 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/google-workspace/google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/21" [rule] author = ["Elastic"] @@ -51,6 +51,14 @@ event.dataset:(gsuite.admin or google_workspace.admin) and "Password Management - Enforce password policy at next login" or "Password Management - Minimum password length" or "Password Management - Maximum password length" + ) or + google_workspace.admin.setting.name:( + "Password Management - Enforce strong password" or + "Password Management - Password reset frequency" or + "Password Management - Enable password reuse" or + "Password Management - Enforce password policy at next login" or + "Password Management - Minimum password length" or + "Password Management - Maximum password length" ) ''' diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml index ec34c9be9..bfe16810c 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/21" [rule] author = ["Elastic"] @@ -41,6 +41,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false +event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) '''