security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Bitlocker Settings Disabled - Google Workspace (#2288)

Browse Source 
* adding new rule

* adjusted UUID
This commit is contained in:
Terrance DeJesus
2022-09-12 16:06:01 -04:00
committed by GitHub
parent 0358ec9d9a
commit 8c19e9ff6c
1 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
+80
View File
@@ -0,0 +1,80 @@
[metadata]
creation_date = "2022/09/06"
integration = "google_workspace"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/09/06"
[rule]
author = ["Elastic"]
description = """
Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable
BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid
account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device
management.
"""
false_positives = [
"""
Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve
potential endpoint conflicts.
""",
]
from = "now-130m"
index = ["filebeat-*", "logs-google_workspace*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "Google Workspace Bitlocker Setting Disabled"
note = """## Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
### Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/9176657?hl=en"]
risk_score = 47
rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Configuration Audit",
"Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"