-
Notifications
You must be signed in to change notification settings - Fork 517
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Restrictions for Google Marketplace Modified to Allow Any …
…App - Google Workspace (#2268) * adding new rule * adjusted UUID to address unit testing failures * adjusted UUID to address unit testing failures * adjusted references (cherry picked from commit 6a6ef0c)
- Loading branch information
1 parent
38bbb57
commit 0b38f9d
Showing
1 changed file
with
83 additions
and
0 deletions.
There are no files selected for viewing
83 changes: 83 additions & 0 deletions
83
...vasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| [metadata] | ||
| creation_date = "2022/08/25" | ||
| integration = "google_workspace" | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2022/08/25" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. | ||
| Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed | ||
| within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for | ||
| security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google | ||
| Workspace environment prior to distributing the malicious APK to the end user. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be | ||
| explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this | ||
| rule to filter expected behavior. | ||
| """, | ||
| ] | ||
| from = "now-130m" | ||
| index = ["filebeat-*", "logs-google_workspace*"] | ||
| interval = "10m" | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App" | ||
| note = """## Setup | ||
| The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. | ||
| ### Important Information Regarding Google Workspace Event Lag Times | ||
| - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. | ||
| - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. | ||
| - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. | ||
| - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). | ||
| - See the following references for further information: | ||
| - https://support.google.com/a/answer/7061566 | ||
| - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" | ||
| references = ["https://support.google.com/a/answer/6089179?hl=en"] | ||
| risk_score = 47 | ||
| rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Elastic", | ||
| "Cloud", | ||
| "Google Workspace", | ||
| "Continuous Monitoring", | ||
| "SecOps", | ||
| "Configuration Audit", | ||
| "Defense Evasion", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) | ||
| and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace" | ||
| and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1562" | ||
| name = "Impair Defenses" | ||
| reference = "https://attack.mitre.org/techniques/T1562/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1562.001" | ||
| name = "Disable or Modify Tools" | ||
| reference = "https://attack.mitre.org/techniques/T1562/001/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
|