nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

@@ -0,0 +1,125 @@
+[metadata]
+creation_date = "2022/08/25"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these
+applications for user security purposes. An adversary, with administrative privileges, may remove this application from
+the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized
+use of an application that had been previously blocked before by a user with admin privileges.
+"""
+false_positives = [
+    """
+    Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the
+    configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Application Removed from Blocklist in Google Workspace"
+note = """## Triage and analysis
+
+### Investigating Application Removed from Blocklist in Google Workspace
+
+Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.
+
+Marketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.
+
+Google clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.
+
+This rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.
+- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.
+- After identifying the involved user account, review other potentially related events within the last 48 hours.
+- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.
+- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.
+
+### False positive analysis
+
+- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.
+- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.
+- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/6328701?hl=en#",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Resources: Investigation Guide",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change"  and
+  event.action:"CHANGE_APPLICATION_SETTING" and
+  google_workspace.admin.application.name:"Google Workspace Marketplace" and
+  google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2020/11/17"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in
+order to collect and exfiltrate data from their target’s organization with less restrictive security controls.
+"""
+false_positives = [
+    """
+    Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions
+    can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Domain Added to Google Workspace Trusted Domains"
+note = """## Triage and analysis
+
+### Investigating Domain Added to Google Workspace Trusted Domains
+
+Organizations use trusted domains in Google Workspace to give external users access to resources.
+
+A threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.
+
+This rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- After identifying the user, verify if the user should have administrative privileges to add external domains.
+- Check the `google_workspace.admin.domain.name` field to find the newly added domain.
+- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.
+- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.
+    - If mismatches are identified, this could indicate access from an external Google Workspace domain.
+
+### False positive analysis
+
+- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.
+- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/6160020?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 73
+rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0"
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.007"
+name = "Disable or Modify Cloud Firewall"
+reference = "https://attack.mitre.org/techniques/T1562/007/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

@@ -0,0 +1,118 @@
+[metadata]
+creation_date = "2022/09/06"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable
+BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid
+account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device
+management.
+"""
+false_positives = [
+    """
+    Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve
+    potential endpoint conflicts.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Google Workspace Bitlocker Setting Disabled"
+note = """## Triage and analysis
+
+### Investigating Google Workspace Bitlocker Setting Disabled
+
+BitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.
+
+Disabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.
+
+This rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.
+- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.
+    - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.
+
+### False positive analysis
+
+- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.
+   - Verify with the user that they intended to disable BitLocker on Windows endpoints.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/9176657?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
+    and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker*
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

@@ -0,0 +1,133 @@
+[metadata]
+creation_date = "2023/03/30"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2025/02/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant
+permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could
+allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.
+"""
+false_positives = [
+    """
+    Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for
+    administrative tasks.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "First Time Seen Google Workspace OAuth Login from Third-Party Application"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating First Time Seen Google Workspace OAuth Login from Third-Party Application
+
+OAuth is a protocol that allows third-party applications to access user data without exposing credentials, enhancing security in Google Workspace. However, adversaries can exploit OAuth by using compromised credentials to gain unauthorized access, mimicking legitimate users. The detection rule identifies unusual OAuth logins by monitoring authorization events linked to new third-party applications, flagging potential misuse for further investigation.
+
+### Possible investigation steps
+
+- Review the event details to identify the specific third-party application involved by examining the google_workspace.token.client.id field.
+- Check the google_workspace.token.scope.data field to understand the scope of permissions granted to the third-party application and assess if they align with expected usage.
+- Investigate the user account associated with the OAuth authorization event to determine if there are any signs of compromise or unusual activity.
+- Correlate the timestamp of the OAuth login event with other security logs to identify any concurrent suspicious activities or anomalies.
+- Verify if the third-party application is known and authorized within the organization by consulting with relevant stakeholders or reviewing application whitelists.
+- Assess the risk and impact of the OAuth login by considering the privileges of the user account and the sensitivity of the accessed resources.
+
+### False positive analysis
+
+- New legitimate third-party applications: Users may frequently integrate new third-party applications for productivity or collaboration. To manage this, maintain a whitelist of known and trusted applications and exclude them from triggering alerts.
+- Regular updates to existing applications: Some applications may update their OAuth client IDs during version upgrades. Monitor application update logs and adjust the detection rule to exclude these known updates.
+- Internal development and testing: Organizations developing their own applications may trigger this rule during testing phases. Coordinate with development teams to identify and exclude these internal applications from alerts.
+- Frequent use of service accounts: Service accounts used for automation or integration purposes might appear as new logins. Document and exclude these service accounts from the detection rule to prevent false positives.
+
+### Response and remediation
+
+- Immediately revoke the OAuth token associated with the suspicious third-party application to prevent further unauthorized access.
+- Conduct a thorough review of the affected user's account activity to identify any unauthorized actions or data access that may have occurred.
+- Reset the credentials of the affected user and any other users who may have been compromised, ensuring that strong, unique passwords are used.
+- Notify the affected user and relevant stakeholders about the incident, providing guidance on recognizing phishing attempts and securing their accounts.
+- Implement additional monitoring for the affected user and similar OAuth authorization events to detect any further suspicious activity.
+- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or data exfiltration.
+- Review and update OAuth application permissions and policies to ensure that only trusted applications have access to sensitive data and services.
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
+    "https://developers.google.com/apps-script/guides/bound",
+    "https://developers.google.com/identity/protocols/oauth2",
+]
+risk_score = 47
+rule_id = "21bafdf0-cf17-11ed-bd57-f661ea17fbcc"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "google_workspace.token" and event.action: "authorize" and
+google_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["google_workspace.token.client.id"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-15d"
+
+

nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml

@@ -0,0 +1,126 @@
+[metadata]
+creation_date = "2022/08/25"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace.
+Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed
+within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for
+security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google
+Workspace environment prior to distributing the malicious APK to the end user.
+"""
+false_positives = [
+    """
+    Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be
+    explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this
+    rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-google_workspace*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Google Workspace Restrictions for Marketplace Modified to Allow Any App"
+note = """## Triage and analysis
+
+### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App
+
+Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.
+
+Marketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.
+
+Google clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.
+
+This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.
+- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.
+    - The `google_workspace.admin.application.name` field will help identify what applications were added.
+- With the user account, review other potentially related events within the last 48 hours.
+- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.
+- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.
+
+### False positive analysis
+
+- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.
+- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.
+    - Follow up with the user who added the application to ensure this was intended.
+- Verify the application identified has been assessed thoroughly by an administrator.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/6089179?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
+    and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace"
+        and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access"  and google_workspace.admin.new_value:"ALLOW_ALL"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+