[New Rule] Application Removed from Blocklist - Google Workspace (#2267)

* adding new rule * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
2022-08-26 12:16:41 -04:00
parent 97e42d01d8
commit e5399bc148
1 changed files with 82 additions and 0 deletions
@@ -0,0 +1,82 @@
+[metadata]
+creation_date = "2022/08/25"
+integration = "google_workspace"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/08/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these
+applications for user security purposes. An adversary, with administrative privileges, may remove this application from
+the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized
+use of an application that had been previously blocked before by a user with admin privileges.
+"""
+false_positives = [
+    """
+    Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the
+    configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Application Removed from Blocklist in Google Workspace"
+note = """## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = ["https://support.google.com/a/answer/6328701?hl=en#"]
+risk_score = 47
+rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Elastic",
+    "Cloud",
+    "Google Workspace",
+    "Continuous Monitoring",
+    "SecOps",
+    "Configuration Audit",
+    "Impair Defenses",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change"  and
+  event.action:"CHANGE_APPLICATION_SETTING" and
+  google_workspace.admin.application.name:"Google Workspace Marketplace" and
+  google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+