detection-rules
detection-rules copied to clipboard
elastic
[Rule Tuning] First Time Seen Google Workspace OAuth Login from Third-Party Application
Link to rule
https://github.com/elastic/detection-rules/blob/66c1d7f3b4355cefb110166fc9c5b2f5584f53ea/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml#L3
Description
This rule uses a wildcard query on a flattened field (google_workspace.token.scope.data) which is not supported. At least, the latest version of the Google Workspace integration (2.19.0) seems to map this one as a flattened rather than an object field like it used to.
So google_workspace.token.scope.data.scope_name should be replaced with google_workspace.token.scope.value
Example Data
JSON Document:
{ "_index": ".ds-logs-google_workspace.token-default-2023.11.20-000012", "_id": "T7bmyeNqfwNCsD141qHEyKraYQg=", "_version": 1, "_score": 0, "_source": { "agent": { "name": "<redacted>", "id": "<redacted>", "ephemeral_id": "<redacted>", "type": "filebeat", "version": "8.10.2" }, "elastic_agent": { "id": "<redacted>", "version": "8.10.2", "snapshot": false }, "source": { "ip": "<redacted>", "user": { "domain": "<redacted>", "name": "<redacted>", "id": "<redacted>", "email": "<redacted>" } }, "tags": [ "google_workspace-token" ], "input": { "type": "httpjson" }, "@timestamp": "2023-11-20T09:58:33.965Z", "ecs": { "version": "8.11.0" }, "related": { "hosts": [ "<redacted>" ], "ip": [ "<redacted>" ], "user": [ "<redacted>", "<redacted>", "<redacted>" ] }, "google_workspace": { "kind": "admin#reports#activity", "etag": "<redacted>", "token": { "app_name": "<redacted>", "scope": { "data": [ { "product_bucket": [ "GSUITE_ADMIN" ], "scope_name": "https://www.googleapis.com/auth/admin.reports.audit.readonly" } ], "value": [ "https://www.googleapis.com/auth/admin.reports.audit.readonly" ] }, "client": { "id": "<redacted>", "type": "WEB" } } }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "google_workspace.token" }, "organization": { "id": "<redacted>" }, "host": { "hostname": "<redacted>", "os": { "kernel": "5.15.0-84-generic", "codename": "jammy", "name": "Ubuntu", "type": "linux", "family": "debian", "version": "22.04.3 LTS (Jammy Jellyfish)", "platform": "ubuntu" }, "containerized": false, "ip": [ "<redacted>", "<redacted>", "<redacted>" ], "name": "<redacted>", "id": "<redacted>", "mac": [ "<redacted>", "<redacted>", "<redacted>" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "ingested": "2023-11-20T11:58:36Z", "provider": "token", "created": "2023-11-20T11:58:35.273Z", "kind": [ "event" ], "action": "authorize", "id": "<redacted>", "category": [ "iam" ], "type": [ "info", "user" ], "dataset": "google_workspace.token" }, "user": { "domain": "<redacted>", "name": "<redacted>", "id": "<redacted>", "email": "<redacted>" } }, "fields": { "elastic_agent.version": [ "8.10.2" ], "event.category": [ "iam" ], "host.os.name.text": [ "Ubuntu" ], "host.hostname": [ "<redacted>" ], "source.user.email": [ "<redacted>" ], "host.mac": [ "<redacted>", "<redacted>", "<redacted>" ], "source.user.name.text": [ "<redacted>" ], "host.os.version": [ "22.04.3 LTS (Jammy Jellyfish)" ], "host.os.name": [ "Ubuntu" ], "source.ip": [ "<redacted>" ], "agent.name": [ "<redacted>" ], "host.name": [ "<redacted>" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "host.os.type": [ "linux" ], "user.id": [ "<redacted>" ], "input.type": [ "httpjson" ], "data_stream.type": [ "logs" ], "google_workspace.token.client.type": [ "WEB" ], "related.user": [ "<redacted>", "<redacted>", "<redacted>" ], "tags": [ "google_workspace-token" ], "host.architecture": [ "x86_64" ], "event.provider": [ "token" ], "agent.id": [ "<redacted>" ], "ecs.version": [ "8.11.0" ], "host.containerized": [ false ], "event.created": [ "2023-11-20T11:58:35.273Z" ], "google_workspace.token.app_name": [ "<redacted>" ], "organization.id": [ "<redacted>" ], "agent.version": [ "8.10.2" ], "related.hosts": [ "<redacted>" ], "host.os.family": [ "debian" ], "source.user.name": [ "<redacted>" ], "user.name": [ "<redacted>" ], "host.ip": [ "<redacted>", "<redacted>", "<redacted>" ], "agent.type": [ "filebeat" ], "event.module": [ "google_workspace" ], "related.ip": [ "<redacted>" ], "user.email": [ "<redacted>" ], "host.os.kernel": [ "5.15.0-84-generic" ], "elastic_agent.snapshot": [ false ], "source.user.id": [ "<redacted>" ], "user.domain": [ "<redacted>" ], "host.id": [ "<redacted>" ], "google_workspace.token.client.id": [ "<redacted>" ], "elastic_agent.id": [ "<redacted>" ], "google_workspace.token.scope.data": [ { "product_bucket": [ "GSUITE_ADMIN" ], "scope_name": "https://www.googleapis.com/auth/admin.reports.audit.readonly" } ], "google_workspace.token.scope.value": [ "https://www.googleapis.com/auth/admin.reports.audit.readonly" ], "data_stream.namespace": [ "default" ], "host.os.codename": [ "jammy" ], "google_workspace.kind": [ "admin#reports#activity" ], "event.action": [ "authorize" ], "event.ingested": [ "2023-11-20T11:58:36.000Z" ], "@timestamp": [ "2023-11-20T09:58:33.965Z" ], "google_workspace.etag": [ "<redacted>" ], "host.os.platform": [ "ubuntu" ], "data_stream.dataset": [ "google_workspace.token" ], "event.type": [ "info", "user" ], "agent.ephemeral_id": [ "<redacted>" ], "source.user.domain": [ "<redacted>" ], "event.id": [ "<redacted>" ], "event.dataset": [ "google_workspace.token" ], "user.name.text": [ "<redacted>" ] } }
Change suggested:
event.dataset: "google_workspace.token" and event.action: "authorize" and
google_workspace.token.scope.value: *Login and google_workspace.token.client.id: *apps.googleusercontent.com
