Merge pull request #4657 from socprime/gworkspace_analytic_content_upd

Google Workspace analytic content update
2022-05-23 15:10:48 +05:30 · 2022-05-23 15:10:48 +05:30 · d1e500c3de
--- a/Rules/GWorkspaceAdminPermissionsGranted.yaml
+++ b/Rules/GWorkspaceAdminPermissionsGranted.yaml
@ -24,5 +24,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Solutions/GoogleWorkspaceReports/Analytic
+++ b/Solutions/GoogleWorkspaceReports/Analytic
@ -17,7 +17,7 @@ relevantTechniques:
  - T1190
  - T1133
 query: |
-  GWorkspaceActivityReports 
+  GWorkspaceActivityReports
  | where EventType has "ALERT_CENTER"
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
@ -25,5 +25,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/GWorkspaceApiAccessToNewClient.yaml
+++ b/Rules/GWorkspaceApiAccessToNewClient.yaml
@ -25,5 +25,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Solutions/GoogleWorkspaceReports/Analytic
+++ b/Solutions/GoogleWorkspaceReports/Analytic
@ -24,5 +24,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/GWorkspaceDifferentUAsFromSingleIP.yaml
+++ b/Rules/GWorkspaceDifferentUAsFromSingleIP.yaml
@ -20,18 +20,14 @@ relevantTechniques:
 query: |
  let threshold = 5;
  GWorkspaceActivityReports
-  | summarize makeset(UserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
-  | extend ua_count = array_length(set_UserAgentOriginal)
-  | where ua_count > threshold
-  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = set_UserAgentOriginal
+  | where isnotempty(UserAgentOriginal)
+  | summarize user_ua = makeset(UserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
+  | where array_length(user_ua) > threshold
+  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-  - entityType: URL
-    fieldMappings:
-      - identifier: Url
-        columnName: UrlCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/GWorkspaceOutboundRelayAddedToSuiteDomain.yaml
+++ b/Rules/GWorkspaceOutboundRelayAddedToSuiteDomain.yaml
@ -17,7 +17,6 @@ relevantTechniques:
  - T1114
 query: |
  GWorkspaceActivityReports
-  | where isnotempty(EventMessage)
  | where EventMessage has "TOGGLE_OUTBOUND_RELAY"
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
@ -25,5 +24,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Solutions/GoogleWorkspaceReports/Analytic
+++ b/Solutions/GoogleWorkspaceReports/Analytic
@ -27,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
+++ b/Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
@ -2,7 +2,7 @@ id: d80d02a8-5da6-11ec-bf63-0242ac130002
 name: GWorkspace - Possible maldoc file name in Google drive
 description: |
  'Detects possible maldoc file name in Google drive.'
-severity: Low
+severity: Medium
 requiredDataConnectors:
  - connectorId: GoogleWorkspaceReportsAPI
    dataTypes:
@ -29,5 +29,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/GWorkspaceTwoStepAuthenticationDisabledForUser.yaml
+++ b/Rules/GWorkspaceTwoStepAuthenticationDisabledForUser.yaml
@ -1,7 +1,7 @@
 id: c8cc02d0-5da6-11ec-bf63-0242ac130002
-name: GWorkspace - Two-step authentification disabled for user
+name: GWorkspace - Two-step authentification disabled for a user
 description: |
-  'Triggers on two-step authentification disabled for user.'
+  'Triggers on two-step authentification disabled for a user.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: GoogleWorkspaceReportsAPI
--- a/Solutions/GoogleWorkspaceReports/Analytic
+++ b/Solutions/GoogleWorkspaceReports/Analytic
@ -15,7 +15,7 @@ tactics:
  - PrivilegeEscalation
 query: |
  GWorkspaceActivityReports
-  | where EventMessage contains "os_updated"
+  | where EventMessage has "os_updated"
  | where isnotempty(NeqValue) and isnotempty(OldValue)
  | extend NewVersion1 = extract(@'([0-9]+)\.([0-9]+)\.?([0-9])?', 1, NeqValue)
  | extend NewVersion2 = extract(@'([0-9]+)\.([0-9]+)\.?([0-9])?', 2, NeqValue)
@ -35,5 +35,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Queries/GWorkspaceDocumentSharedExternally.yaml
+++ b/Queries/GWorkspaceDocumentSharedExternally.yaml
@ -16,8 +16,8 @@ relevantTechniques:
 query: |
  GWorkspaceActivityReports 
  | where TimeGenerated > ago(24h)
-  | where Visibility =~ 'shared_externally'
  | where EventType =~ 'acl_change'
+  | where Visibility =~ 'shared_externally'
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
  - entityType: Account
--- a/Queries/GWorkspaceDocumentSharedPublicilyWithLink.yaml
+++ b/Queries/GWorkspaceDocumentSharedPublicilyWithLink.yaml
@ -16,8 +16,8 @@ relevantTechniques:
 query: |
  GWorkspaceActivityReports 
  | where TimeGenerated > ago(24h)
-  | where Visibility =~ 'people_with_link'
  | where EventType =~ 'acl_change'
+  | where Visibility =~ 'people_with_link'
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
  - entityType: Account
--- a/Solutions/GoogleWorkspaceReports/Hunting
+++ b/Solutions/GoogleWorkspaceReports/Hunting
@ -14,6 +14,7 @@ relevantTechniques:
 query: |
  GWorkspaceActivityReports
  | where TimeGenerated > ago(24h)
+  | where isnotempty(SrcIpAddr)
  | summarize UserIP = make_set(SrcIpAddr) by ActorEmail
  | where array_length(UserIP) > 3
  | extend IPCustomEntity = UserIP
--- a/Solutions/GoogleWorkspaceReports/Hunting
+++ b/Solutions/GoogleWorkspaceReports/Hunting
@ -17,6 +17,7 @@ relevantTechniques:
 query: |
  GWorkspaceActivityReports
  | where TimeGenerated > ago(24h)
+  | where EventType =~ "login"
  | where LoginType has "unknown"
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
--- a/Queries/GWorkspaceUserWithSeveralDevices.yaml
+++ b/Queries/GWorkspaceUserWithSeveralDevices.yaml
@ -14,8 +14,9 @@ relevantTechniques:
 query: |
  GWorkspaceActivityReports
  | where TimeGenerated > ago(24h)
-  | summarize UserDevice = make_set(DvcModelName) by ActorEmail
-  | where array_length(UserDevice) >= 5
+  | where isnotempty(DvcModelName)
+  | summarize UserDevices = make_set(DvcModelName) by ActorEmail
+  | where array_length(UserDevices) >= 5
  | extend AccountCustomEntity = ActorEmail
 entityMappings:
  - entityType: Account