diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml new file mode 100644 index 000000000..1be1700bb --- /dev/null +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -0,0 +1,82 @@ +[metadata] +creation_date = "2022/08/25" +integration = "google_workspace" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/25" + +[rule] +author = ["Elastic"] +description = """ +Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these +applications for user security purposes. An adversary, with administrative privileges, may remove this application from +the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized +use of an application that had been previously blocked before by a user with admin privileges. +""" +false_positives = [ + """ + Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the + configuration change was expected. Exceptions can be added to this rule to filter expected behavior. + """, +] +from = "now-130m" +index = ["filebeat-*", "logs-google_workspace*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "Application Removed from Blocklist in Google Workspace" +note = """## Setup + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = ["https://support.google.com/a/answer/6328701?hl=en#"] +risk_score = 47 +rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce" +severity = "medium" +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impair Defenses", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and + event.action:"CHANGE_APPLICATION_SETTING" and + google_workspace.admin.application.name:"Google Workspace Marketplace" and + google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +