From b6d1c1476ba78a06413baf0fc4c8aeadab2a24c7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 25 Jan 2022 22:51:20 -0300 Subject: [PATCH] [Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706) * Adjust queries and min_stack_version * Update reference to the filebeat module * adjust min_stack_version --- ...cation_added_to_google_workspace_domain.toml | 8 +++++--- ...ded_to_google_workspace_trusted_domains.toml | 8 +++++--- .../google_workspace_admin_role_deletion.toml | 8 +++++--- ...ogle_workspace_mfa_enforcement_disabled.toml | 8 +++++--- .../google_workspace_policy_modified.toml | 17 +++++------------ ...abled_for_google_workspace_organization.toml | 8 +++++--- ...e_workspace_admin_role_assigned_to_user.toml | 8 +++++--- ...via_domain_wide_delegation_of_authority.toml | 8 +++++--- ...gle_workspace_custom_admin_role_created.toml | 8 +++++--- ...sistence_google_workspace_role_modified.toml | 8 +++++--- 10 files changed, 50 insertions(+), 39 deletions(-) diff --git a/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml index d24110713..b9eeb730a 100644 --- a/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/6328701?hl=en#"] risk_score = 47 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd" @@ -44,6 +46,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION ''' diff --git a/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml index c0e07a538..0f74df988 100644 --- a/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/6160020?hl=en"] risk_score = 73 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0" @@ -43,6 +45,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS ''' diff --git a/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml index cbbcea1fa..66b14b03f 100644 --- a/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf" @@ -43,6 +45,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE ''' diff --git a/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml index ee9dd5e6b..e35474532 100644 --- a/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/21" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/9176657?hl=en#"] risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" @@ -43,6 +45,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false ''' diff --git a/rules/integrations/google_workspace/google_workspace_policy_modified.toml b/rules/integrations/google_workspace/google_workspace_policy_modified.toml index ad0dff0d1..e9f726315 100644 --- a/rules/integrations/google_workspace/google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/google_workspace_policy_modified.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/21" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" @@ -42,17 +44,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and - event.provider:admin and event.category:iam and +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and - gsuite.admin.setting.name:( - "Password Management - Enforce strong password" or - "Password Management - Password reset frequency" or - "Password Management - Enable password reuse" or - "Password Management - Enforce password policy at next login" or - "Password Management - Minimum password length" or - "Password Management - Maximum password length" - ) or google_workspace.admin.setting.name:( "Password Management - Enforce strong password" or "Password Management - Password reset frequency" or diff --git a/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml index 7323d1b90..c1367c02e 100644 --- a/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/21" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" @@ -42,6 +44,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false) +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 00acb03fb..24dd58a2e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/172176?hl=en"] risk_score = 47 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" @@ -43,7 +45,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 49df4516d..56c3d228e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"] risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" @@ -44,7 +46,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 4da52fb11..8eb94cf27 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" @@ -43,7 +45,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE ''' diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 0f118af65..3a8074019 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,8 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/13" integration = "google_workspace" +min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" +min_stack_version = "8.0" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html""" + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" @@ -43,7 +45,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) +event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) '''