nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml

@@ -0,0 +1,134 @@
+[metadata]
+creation_date = "2023/03/07"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2025/02/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has
+been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An
+adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus
+copying the object to the victim's drive. If a container-bound script exists within the object, execution will require
+permission access via OAuth in which the user has to accept.
+"""
+false_positives = [
+    """
+    Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate
+    when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually
+    copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful
+    spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to
+    execute a container-bound script either unless the user was intentionally aware, suggesting the object uses
+    container-bound scripts to accomplish a legitimate task.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-google_workspace*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Google Workspace Object Copied to External Drive with App Consent"
+note = """## Triage and analysis
+
+### Investigating Google Workspace Object Copied to External Drive with App Consent
+
+Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.
+
+This rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.
+
+#### Possible investigation steps
+- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.
+- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.
+- Identify the file type by reviewing `google_workspace.drive.file.type`.
+- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.
+- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.
+    - Review the application ID as well from `google_workspace.token.client.id`.
+    - This metadata can be used to report the malicious application to Google for permanent blacklisting.
+- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.
+    - This information will help pivot and triage into what services may have been affected.
+- If a container-bound script was attached to the copied object, it will also exist in the user's drive.
+    - This object should be removed from all users affected and investigated for a better understanding of the malicious code.
+
+### False positive analysis
+- Communicate with the affected user to identify if these actions were intentional
+- If a container-bound script exists, review code to identify if it is benign or malicious
+
+### Response and remediation
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+    - Resetting passwords will revoke OAuth tokens which could have been stolen.
+- Reactivate multi-factor authentication for the user.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
+    "https://developers.google.com/apps-script/guides/bound",
+    "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links",
+]
+risk_score = 47
+rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+
+query = '''
+sequence by source.user.email with maxspan=3m
+[file where event.dataset == "google_workspace.drive" and event.action == "copy" and
+
+    /* Should only match if the object lives in a Drive that is external to the user's GWS organization */
+    google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and
+
+    /* Google Script, Forms, Sheets and Document can have container-bound scripts */
+    google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")]
+
+[any where event.dataset == "google_workspace.token" and event.action == "authorize" and
+
+    /* Ensures application ID references custom app in Google Workspace and not GCP */
+    google_workspace.token.client.id : "*apps.googleusercontent.com"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml

@@ -0,0 +1,111 @@
+[metadata]
+creation_date = "2020/11/17"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious
+application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization
+and steal data.
+"""
+false_positives = [
+    """
+    Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration
+    change was expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Application Added to Google Workspace Domain"
+note = """## Triage and analysis
+
+### Investigating Application Added to Google Workspace Domain
+
+Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.
+
+Marketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.
+
+Google clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.
+
+This rule checks for applications that were manually added to the Marketplace by a Google Workspace account.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.
+- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.
+- With the user account, review other potentially related events within the last 48 hours.
+- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.
+- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.
+
+### False positive analysis
+
+- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.
+- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.
+- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/6328701?hl=en#",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml

@@ -0,0 +1,116 @@
+[metadata]
+creation_date = "2022/08/26"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking
+users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin
+console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin
+accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the
+security requirements to access a valid account.
+"""
+false_positives = [
+    """
+    Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was
+    previously enabled, it is not common to disable this policy for extended periods of time.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Google Workspace 2SV Policy Disabled"
+note = """## Triage and analysis
+
+### Investigating Google Workspace 2SV Policy Disabled
+
+Google Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.
+
+2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.
+
+This rule detects when a 2SV policy is disabled in Google Workspace.
+
+#### Possible investigation steps
+
+- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.
+- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.
+- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.
+- After identifying the involved user account, verify administrative privileges are scoped properly.
+- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.
+  - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.
+
+### False positive analysis
+
+- After finding the user account that updated the password policy, verify whether the action was intentional.
+- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.
+- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/9176657?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Configuration Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.login" and event.action:"2sv_disable"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

@@ -0,0 +1,125 @@
+[metadata]
+creation_date = "2020/11/17"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Assigning the administrative role to a user will grant them access to the Google Admin console and grant them
+administrator privileges which allow them to access and manage various resources and applications. An adversary may
+create a new administrator account for persistence or apply the admin role to an existing user to carry out further
+intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.
+"""
+false_positives = [
+    """
+    Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration
+    change was expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-130m"
+index = ["filebeat-*", "logs-google_workspace*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Google Workspace Admin Role Assigned to a User"
+note = """## Triage and analysis
+
+### Investigating Google Workspace Admin Role Assigned to a User
+
+Google Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.
+
+Administrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.
+
+This rule identifies when a Google Workspace administrative role is assigned to a user.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+  - The `user.target.email` field contains the user who received the admin role.
+- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.
+- After identifying the involved user, verify their administrative privileges are scoped properly.
+- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.
+  - Add `google_workspace.admin.role.name` with the role added as an additional filter.
+  - Adjust the relative time accordingly to identify all users that were assigned this admin role.
+- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.
+  - Add `user.email` with the target user account that recently received this new admin role.
+- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.
+
+### False positive analysis
+
+- After identifying user account that added the admin role, verify the action was intentional.
+- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.
+- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://support.google.com/a/answer/172176?hl=en",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 73
+rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6"
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE"
+  and google_workspace.event.type:"DELEGATED_ADMIN_SETTINGS" and google_workspace.admin.role.name : *_ADMIN_ROLE
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2020/11/12"
+integration = ["google_workspace"]
+maturity = "production"
+updated_date = "2024/09/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be
+configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may
+configure domain-wide delegation to maintain access to their target’s data.
+"""
+false_positives = [
+    """
+    Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the
+    configuration change was expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-google_workspace*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Google Workspace API Access Granted via Domain-Wide Delegation"
+note = """## Triage and analysis
+
+### Investigating Google Workspace API Access Granted via Domain-Wide Delegation
+
+Domain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.
+
+Applications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.
+
+This rule identifies when an application is authorized API client access.
+
+#### Possible investigation steps
+
+- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+  - Only users with super admin privileges can authorize API client access.
+- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.
+  - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.
+  - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.
+  - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.
+- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.
+
+### False positive analysis
+
+- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.
+- Review scheduled maintenance notes related to expected API access changes.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Review the scope of the authorized API client access in Google Workspace.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+references = [
+    "https://developers.google.com/admin-sdk/directory/v1/guides/delegation",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+]
+risk_score = 47
+rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Google Workspace",
+    "Use Case: Identity and Access Audit",
+    "Resources: Investigation Guide",
+    "Tactic: Persistence",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:google_workspace.admin
+  and event.provider:admin
+  and event.category:iam
+  and event.action:AUTHORIZE_API_CLIENT_ACCESS
+  and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+