Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Google Workspace User Group Access Modified to Allow External Access #4130

Open
brokensound77 opened this issue Oct 2, 2024 · 0 comments
Open

[New Rule] Google Workspace User Group Access Modified to Allow External Access #4130

brokensound77 opened this issue Oct 2, 2024 · 0 comments
Assignees
@brokensound77
Labels
Rule: New Proposal for new rule Team: TRADE

Comments

@brokensound77
Copy link
Contributor

Description

User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group when users within that group are expected to access sensitive data and/or resources so administrators add this label to easily manage security groups better. Adversaries with administrator access may modify a security group to allow external access from members outside the organization. This detection does not capture all modifications to security groups, but only those that could increase the risks associated with them.

Similar to internal rule 157f0e02-0209-40de-a69a-0b2c205f0952

Target Ruleset

google_workspace

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

No response

Query

event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" and event.category:"iam" and 
  (
    (google_workspace.admin.setting.name:"ALLOW_EXTERNAL_MEMBERS" and google_workspace.admin.new_value:"true") or
    (
      google_workspace.admin.setting.name:"WHO_CAN_JOIN" and not 
        (google_workspace.admin.new_value:"INVITED_CAN_JOIN" or google_workspace.admin.new_value:"CAN_REQUEST_TO_JOIN")
    )
  )

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response
@brokensound77 brokensound77 added Rule: New Proposal for new rule Team: TRADE labels Oct 2, 2024
@brokensound77 brokensound77 self-assigned this Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brokensound77 brokensound77

Labels
Rule: New Proposal for new rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brokensound77