search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.98k stars 505 forks source link

[Rule Tuning] Google Workspace Drive Encryption Key(s) Accessed from Anonymous User #4120

Open brokensound77 opened 2 months ago

brokensound77 commented 2 months ago

Link to Rule

https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml#L45

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

Tune google_workspace.drive.visibility beyond just people_with_link to include shared_externally. If needed, we can revise the title to include Anonymous or External

file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and
    google_workspace.drive.visibility : ("people_with_link", "shared_externally") and source.user.email == "" and
    file.extension: (
        "token","assig", "pssc", "keystore", "pub", "pgp.asc", "ps1xml", "pem", "gpg.sig", "der", "key",
        "p7r", "p12", "asc", "jks", "p7b", "signature", "gpg", "pgp.sig", "sst", "pgp", "gpgz", "pfx", "crt",
        "p8", "sig", "pkcs7", "jceks", "pkcs8", "psc1", "p7c", "csr", "cer", "spc", "ps2xml")

Example Data

No response

botelastic[bot] commented 1 day ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.