[Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction (#3849)
* tuning google workspace rules * removed verbiage about runtime
This commit is contained in:
Terrance DeJesus
+4
-6
@@ -2,7 +2,7 @@
|
||||
creation_date = "2022/08/25"
|
||||
integration = ["google_workspace"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,15 +20,14 @@ false_positives = [
|
||||
rule to filter expected behavior.
|
||||
""",
|
||||
]
|
||||
from = "now-130m"
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-google_workspace*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App"
|
||||
name = "Google Workspace Restrictions for Marketplace Modified to Allow Any App"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App
|
||||
### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App
|
||||
|
||||
Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.
|
||||
|
||||
@@ -77,7 +76,6 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
|
||||
|
||||
### Important Information Regarding Google Workspace Event Lag Times
|
||||
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
|
||||
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
|
||||
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
|
||||
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
|
||||
- See the following references for further information:
|
||||
+4
-6
@@ -2,7 +2,7 @@
|
||||
creation_date = "2023/03/07"
|
||||
integration = ["google_workspace"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,15 +23,14 @@ false_positives = [
|
||||
container-bound scripts to accomplish a legitimate task.
|
||||
""",
|
||||
]
|
||||
from = "now-130m"
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-google_workspace*"]
|
||||
interval = "10m"
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Google Workspace Object Copied from External Drive and Access Granted to Custom Application"
|
||||
name = "Google Workspace Object Copied to External Drive with App Consent"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application
|
||||
### Investigating Google Workspace Object Copied to External Drive with App Consent
|
||||
|
||||
Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.
|
||||
|
||||
@@ -75,7 +74,6 @@ This rule aims to detect when a user copies an external Drive object to their Dr
|
||||
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
### Important Information Regarding Google Workspace Event Lag Times
|
||||
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
|
||||
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
|
||||
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
|
||||
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
|
||||
- See the following references for further information:
|
||||
+9
-7
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/11/12"
|
||||
integration = ["google_workspace"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,15 +17,14 @@ false_positives = [
|
||||
configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
|
||||
""",
|
||||
]
|
||||
from = "now-130m"
|
||||
from = "now-9m"
|
||||
index = ["filebeat-*", "logs-google_workspace*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Google Workspace API Access Granted via Domain-Wide Delegation of Authority"
|
||||
name = "Google Workspace API Access Granted via Domain-Wide Delegation"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating API Access Granted via Domain-Wide Delegation of Authority
|
||||
### Investigating Google Workspace API Access Granted via Domain-Wide Delegation
|
||||
|
||||
Domain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.
|
||||
|
||||
@@ -71,7 +70,6 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
|
||||
|
||||
### Important Information Regarding Google Workspace Event Lag Times
|
||||
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
|
||||
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
|
||||
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
|
||||
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
|
||||
- See the following references for further information:
|
||||
@@ -92,7 +90,11 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS
|
||||
event.dataset:google_workspace.admin
|
||||
and event.provider:admin
|
||||
and event.category:iam
|
||||
and event.action:AUTHORIZE_API_CLIENT_ACCESS
|
||||
and event.outcome:success
|
||||
'''
|
||||
|
||||
|
||||
Reference in New Issue
Block a user