security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] 2SV Policy Disabled - Google Workspace (#2271)

Browse Source 
* adding new rule

* adjusted file name, query and rule name
This commit is contained in:
Terrance DeJesus
2022-08-26 12:22:54 -04:00
committed by GitHub
parent e5399bc148
commit c0a339e277
1 changed files with 75 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml
+75
View File
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2022/08/26"
integration = "google_workspace"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/26"
[rule]
author = ["Elastic"]
description = """
Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking
users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin
console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin
accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the
security requirements to access a valid account.
"""
false_positives = [
"""
Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was
previously enabled, it is not common to disable this policy for extended periods of time.
""",
]
from = "now-130m"
index = ["filebeat-*", "logs-google_workspace*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "Google Workspace 2SV Policy Disabled"
note = """## Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
### Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/9176657?hl=en"]
risk_score = 47
rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"Google Workspace",
"Continuous Monitoring",
"SecOps",
"Configuration Audit",
"Persistence",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:"google_workspace.admin" and event.action:"2sv_disable"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"