Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Google Workspace User Group Access Modified to Allow External Access #4130

Open
brokensound77 opened this issue Oct 2, 2024 · 1 comment
Open

[New Rule] Google Workspace User Group Access Modified to Allow External Access #4130

brokensound77 opened this issue Oct 2, 2024 · 1 comment
Assignees
@brokensound77
Labels
backlog Rule: New Proposal for new rule Team: TRADE

Comments

@brokensound77
Copy link
Contributor

Description

User groups in Google Workspace are created to help manage users permissions and access to various resources and applications. The security label is only applied to a group when users within that group are expected to access sensitive data and/or resources so administrators add this label to easily manage security groups better. Adversaries with administrator access may modify a security group to allow external access from members outside the organization. This detection does not capture all modifications to security groups, but only those that could increase the risks associated with them.

Similar to internal rule 157f0e02-0209-40de-a69a-0b2c205f0952

Target Ruleset

google_workspace

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

No response

Query

event.dataset:"google_workspace.admin" and event.action:"CHANGE_GROUP_SETTING" and event.category:"iam" and 
  (
    (google_workspace.admin.setting.name:"ALLOW_EXTERNAL_MEMBERS" and google_workspace.admin.new_value:"true") or
    (
      google_workspace.admin.setting.name:"WHO_CAN_JOIN" and not 
        (google_workspace.admin.new_value:"INVITED_CAN_JOIN" or google_workspace.admin.new_value:"CAN_REQUEST_TO_JOIN")
    )
  )

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response
@brokensound77 brokensound77 added Rule: New Proposal for new rule Team: TRADE labels Oct 2, 2024
@brokensound77 brokensound77 self-assigned this Oct 2, 2024
@botelastic
Copy link

botelastic bot commented Dec 1, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Dec 1, 2024
@brokensound77 brokensound77 removed the stale 60 days of inactivity label Dec 2, 2024
@w0rk3r w0rk3r added the backlog label Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brokensound77 brokensound77

Labels
backlog Rule: New Proposal for new rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brokensound77 @w0rk3r