diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 63bea146c32..a51f8119e83 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "eql" license = "Elastic License v2" @@ -33,7 +33,7 @@ Threat actors may use phishing techniques and container-bound scripts to add ext This rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain. -#### Possible investigation steps +### Possible investigation steps - Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert - The `user.target.email` field contains the user added to the groups - The `group.name` field contains the group the target user was added to @@ -81,7 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/33329", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" @@ -91,44 +91,58 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -iam where data_stream.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and - not endsWith(user.target.email, user.target.group.domain) +iam where data_stream.dataset == "google_workspace.admin" and google_workspace.event.type: "GROUP_SETTINGS" and event.action == "ADD_GROUP_MEMBER" and + not endsWith(user.target.domain, user.target.group.domain) ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "google_workspace.admin.group.email", + "event.action", + "cloud.account.id", +] + diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 02aa104ebec..4694d477927 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -72,7 +72,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/1110339", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" @@ -82,53 +82,66 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER +data_stream.dataset: google_workspace.admin and google_workspace.event.type: "USER_SETTINGS" and event.action: "UNSUSPEND_USER" ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "event.action", + "cloud.account.id", +] + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index 93306674bed..ebc9c797206 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -14,12 +14,12 @@ applications and resources inaccessible prior to. """ false_positives = [ """ - Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of - internal role adjustments. + Google Workspace administrators may change which organizational unit a user belongs to as a result of internal role + adjustments. """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -34,7 +34,7 @@ Permissions and privileges for users are often inherited from the organizational This rule identifies when a user has been moved to a different organizational unit. -#### Possible investigation steps +### Possible investigation steps - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. - The `user.target.email` field contains the user that had their assigned organizational unit switched. @@ -83,7 +83,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/6328701?hl=en#", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" @@ -93,49 +93,63 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", + "Tactic: Privilege Escalation", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.type:change and event.category:iam - and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT" +data_stream.dataset:"google_workspace.admin" and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT" ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.new_value", + "event.action", + "cloud.account.id", +] +