Application Added to Google Workspace Domain

edit

Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-google_workspace*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Google Workspace
  • Continuous Monitoring
  • SecOps
  • Configuration Audit
  • Persistence

Version: 14 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

Investigation guide

edit
### Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information:
  - https://support.google.com/a/answer/7061566
  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html

Rule query

edit
event.dataset:google_workspace.admin and event.provider:admin and
event.category:iam and event.action:ADD_APPLICATION

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 14 (8.4.0 release)
  • Formatting only
Version 12 (8.3.0 release)
  • Formatting only
Version 10 (8.2.0 release)
  • Formatting only
Version 6 (8.0.0 release)
  • Updated query, changed from:

    event.dataset:(gsuite.admin or google_workspace.admin) and
    event.provider:admin and event.category:iam and
    event.action:ADD_APPLICATION
Version 5 (7.15.0 release)
  • Formatting only
Version 4 (7.13.0 release)
  • Formatting only
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only