From 8c19e9ff6c0f29bfd0930c4d511eaf93127effef Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 12 Sep 2022 16:06:01 -0400 Subject: [PATCH] [New Rule] Bitlocker Settings Disabled - Google Workspace (#2288) * adding new rule * adjusted UUID --- ..._workspace_bitlocker_setting_disabled.toml | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml new file mode 100644 index 000000000..6ee71ec82 --- /dev/null +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2022/09/06" +integration = "google_workspace" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/09/06" + +[rule] +author = ["Elastic"] +description = """ +Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable +BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid +account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device +management. +""" +false_positives = [ + """ + Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve + potential endpoint conflicts. + """, +] +from = "now-130m" +index = ["filebeat-*", "logs-google_workspace*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "Google Workspace Bitlocker Setting Disabled" +note = """## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = ["https://support.google.com/a/answer/9176657?hl=en"] +risk_score = 47 +rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce" +severity = "medium" +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) + and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +