8000 New Google Workspace rules by Luke57 · Pull Request #5409 · SigmaHQ/sigma · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

New Google Workspace rules #5409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

New Google Workspace rules #5409

wants to merge 10 commits into from

Conversation

Luke57
Copy link
@Luke57 Luke57 commented May 7, 2025
edited by phantinuss
Loading

Summary of the Pull Request

Adds a new Sigma rule that detects suspicious login activity within Google Workspace environments as classified by Google. The rule matches on specific eventName values (suspicious_login, suspicious_login_less_secure_app, and suspicious_programmatic_login) recorded in the login.googleapis.com service.

These log events indicate potentially malicious or unusual login attempts, such as from less secure apps, programmatic access, or abnormal login behavior. The rule supports detection of possible Initial Access techniques, specifically aligning with MITRE ATT&CK technique T1078 (Valid Accounts).

Changelog

new: Google Workspace Government Attack Warning
new: Google Workspace Out Of Domain Email Forwarding
new: Suspicious Login Activity Classified By Google

Example Log Event

{
    "insertId": "-778d70d2n5b",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "activityId": {
                "timeUsec": "1620095181000000",
                "uniqQualifier": "-2034771694824799453"
            },
            "event": [
                {
                    "eventName": "suspicious_login_less_secure_app",
                    "eventType": "account_warning",
                    "parameter": [
                        {
                            "label": "LABEL_OPTIONAL",
                            "name": "affected_email_address",
                            "type": "TYPE_STRING",
                            "value": "test-user@example.com"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ]
        },
        "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "resourceName": "organizations/123",
        "serviceName": "login.googleapis.com"
    },
    "receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
    "resource": {
        "labels": {
            "method": "google.login.LoginService.suspiciousLoginLessSecureApp",
            "service": "login.googleapis.com"
        },
        "type": "audited_resource"
    },
    "severity": "NOTICE",
    "timestamp": "2021-05-04T02:26:21Z"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label May 7, 2025
@Luke57 Luke57 changed the title New rule to detect suspicious login activity within Google Workspace New Google Workspace rules May 15, 2025
@Luke57
Copy link
Author
Luke57 commented May 22, 2025

Not to come across as rushed, but what is actually the usual time from the time of opening a pull request to the final merge? Thanks in advance!

@phantinuss
Copy link
Collaborator

It depends on the workload. It's simply best effort.

@Luke57
Copy link
Author
Luke57 commented May 22, 2025

Thanks for the response and your dedication as admins for Sigma!

@phantinuss
Copy link
Collaborator 8000

Please have a look at other product: gcp rules. You need to traverse the JSON object for each field to access it. Also I don't see a eventService in the example log.

@phantinuss phantinuss added the Author Input Required changes the require information from original author of the rules label May 22, 2025
@Luke57
Copy link
Author
Luke57 commented May 22, 2025

My bad, thanks!

@phantinuss
Copy link
Collaborator

I don't see the eventService field in the example logs. I have to trust you on that/that it works. I'd prefer an example log that at least is matched by one of the rules. The current example log isn't matched by any of them. If you say you tested the rules and they work, I will merge. But if you didn't test them, please do so. I don't have access to gcp.

phantinuss
phantinuss reviewed May 23, 2025
View reviewed changes
Luke57 and others added 4 commits May 26, 2025 09:47
@Luke57 @phantinuss
Update rules/cloud/gcp/gworkspace/gcp_gworkspace_govattack.yml
aae1476 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@Luke57 @phantinuss
Update rules/cloud/gcp/gworkspace/gcp_gworkspace_govattack.yml
350e547 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@Luke57 @phantinuss
Update rules/cloud/gcp/gworkspace/gcp_gworkspace_out_of_domain_email_…
31fd265 
…forwarding.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@Luke57 @phantinuss
Update rules/cloud/gcp/gworkspace/gcp_gworkspace_suspicious_login.yml
de79f49 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@Luke57
Copy link
Author
Luke57 commented May 26, 2025
edited
Loading

I definitely tested the rules. Thanks for the recommendations. For completeness, I have put down a sample log of the “email forwarding” rule below.

  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "test-user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.emailForwardingOutOfDomain",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "-5683698025624301037",
        "timeUsec": "1632501152256000"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "email_forwarding_out_of_domain",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "name": "dusi",
              "type": "TYPE_STRING",
              "value": "INfDlrzP9IH8_QE",
              "label": "LABEL_OPTIONAL"
            },
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "test-user@google.com",
              "name": "email_forwarding_destination_address"
            }
          ],
          "eventType": "email_forwarding_change"
        }
      ]
    }
  },
  "insertId": "rrcp9gd3y2f",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.emailForwardingOutOfDomain",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T16:32:32.256Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}```

@Luke57 Luke57 requested a review from phantinuss May 26, 2025 08:23
@phantinuss phantinuss added 2nd Review Needed PR need a second approval Cloud Pull request add/update cloud related rules and removed Author Input Required changes the require information from original author of the rules labels May 26, 2025
@phantinuss phantinuss requested a review from nasbench May 26, 2025 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench Awaiting requested review from nasbench

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Cloud Pull request add/update cloud related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Luke57 @phantinuss
0