From 5ac4642f07708223f7bce018a5be907844ed8497 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 22 May 2026 15:53:08 -0400 Subject: [PATCH] [Rule Tunings] GWS Rule Tunings (small changes) Small changes to the following rules. All are performing as expected in telemetry, no major query changes needed. ### ALL - made index more specific `logs-google_workspace.admin*` - updated tags to include additional MITRE mapping - removed any unnecessary query filters, opting for only `data_stream.dataset` and `google_workspace.event.type` - added highlighted fields **I've kept the long `from` window to account for the 2 hour default lag time used by Filebeat, we've submitted a request to change this and will change our default rule settings when this changes.** ### External User Added to Google Workspace Group - changed the query to compare the shorter field `user.target.domain` vs the longer field `user.target.email`. Essentially the same comparison is being made just with a smaller field. Screenshot below shows the still working query. Tested all the Rules manually, test data is in our shared stack. --- ..._user_added_to_google_workspace_group.toml | 34 +++++++++++----- ...ogle_workspace_suspended_user_renewed.toml | 31 +++++++++----- ...pace_user_organizational_unit_changed.toml | 40 +++++++++++++------ 3 files changed, 73 insertions(+), 32 deletions(-) diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 63bea146c32..a51f8119e83 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "eql" license = "Elastic License v2" @@ -33,7 +33,7 @@ Threat actors may use phishing techniques and container-bound scripts to add ext This rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain. -#### Possible investigation steps +### Possible investigation steps - Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert - The `user.target.email` field contains the user added to the groups - The `group.name` field contains the group the target user was added to @@ -81,7 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/33329", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" @@ -91,44 +91,58 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" query = ''' -iam where data_stream.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and - not endsWith(user.target.email, user.target.group.domain) +iam where data_stream.dataset == "google_workspace.admin" and google_workspace.event.type: "GROUP_SETTINGS" and event.action == "ADD_GROUP_MEMBER" and + not endsWith(user.target.domain, user.target.group.domain) ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "google_workspace.admin.group.email", + "event.action", + "cloud.account.id", +] + diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 02aa104ebec..4694d477927 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -72,7 +72,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/1110339", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" @@ -82,53 +82,66 @@ tags = [ "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER +data_stream.dataset: google_workspace.admin and google_workspace.event.type: "USER_SETTINGS" and event.action: "UNSUSPEND_USER" ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "event.action", + "cloud.account.id", +] + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index 93306674bed..ebc9c797206 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/22" [rule] author = ["Elastic"] @@ -14,12 +14,12 @@ applications and resources inaccessible prior to. """ false_positives = [ """ - Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of - internal role adjustments. + Google Workspace administrators may change which organizational unit a user belongs to as a result of internal role + adjustments. """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -34,7 +34,7 @@ Permissions and privileges for users are often inherited from the organizational This rule identifies when a user has been moved to a different organizational unit. -#### Possible investigation steps +### Possible investigation steps - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. - The `user.target.email` field contains the user that had their assigned organizational unit switched. @@ -83,7 +83,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured references = [ "https://support.google.com/a/answer/6328701?hl=en#", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", - "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", ] risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" @@ -93,49 +93,63 @@ tags = [ "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", + "Tactic: Privilege Escalation", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.type:change and event.category:iam - and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT" +data_stream.dataset:"google_workspace.admin" and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT" ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user.email", + "source.ip", + "google_workspace.actor.type", + "user.target.email", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.new_value", + "event.action", + "cloud.account.id", +] +