Application Added to Google Workspace Domain
Elastic Stack Serverless Security
Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.
Rule type: query
Rule indices:
- filebeat-*
- logs-google_workspace*
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-130m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Google Workspace
- Continuous Monitoring
- SecOps
- Configuration Audit
Version: 5
Rule authors:
- Elastic
Rule license: Elastic License v2
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default,
var.intervalis set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/8.17/filebeat-module-google_workspace.html
event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION