Terrance DeJesus
7f249e6cc4
* adding google workspace investigation guides * updated 'Google Workspace Custom Gmail Route Created or Modified' guide * updated 'Google Workspace Custom Gmail Route Created or Modified' guide * updated 'Application Removed from Blocklist in Google Workspace' * updated 'Domain Added to Google Workspace Trusted Domains' * updated 'Google Workspace Bitlocker Setting Disabled' * updated 'Google Workspace Admin Role Deletion' * updated 'Application Added to Google Workspace Domain' * updated 'Google Workspace Admin Role Assigned to a User' * updated 'Google Workspace Role Modified' * updated 'Google Workspace Custom Admin Role Created' * updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority' * updated 'Google Workspace Password Policy Modified' * updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App' * updated 'Google Workspace User Organizational Unit Changed' * reverted 'Google Workspace User Group Access Modified to Allow External Access' * removed new lines * added 'Investigation Guide' tags * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed duplicate file --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |