Google Workspace Custom Gmail Route Created or Modified

  1[metadata]
  2creation_date = "2022/09/13"
  3integration = ["google_workspace"]
  4maturity = "production"
  5min_stack_comments = "Breaking changes for Google Workspace integration."
  6min_stack_version = "8.4.0"
  7updated_date = "2023/06/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route
 13for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to
 14capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default,
 15all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and
 16outbound mail.
 17"""
 18false_positives = [
 19    """
 20    Administrators may create custom email routes in Google Workspace based on organizational policies, administrative
 21    preference or for security purposes regarding spam.
 22    """,
 23]
 24from = "now-130m"
 25index = ["filebeat-*", "logs-google_workspace*"]
 26interval = "10m"
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "Google Workspace Custom Gmail Route Created or Modified"
 30note = """## Triage and analysis
 31
 32### Investigating Google Workspace Custom Gmail Route Created or Modified
 33
 34Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.
 35
 36Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.
 37
 38This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.
 39
 40#### Possible investigation steps
 41
 42- Identify the user account that created the custom email route and verify that they should have administrative privileges.
 43- Review the added recipients from the custom email route and confidentiality of potential email contents.
 44- Identify the user account, then review `event.action` values for related activity within the last 48 hours.
 45- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.
 46- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
 47- Identified URLs or attachments can be submitted to VirusTotal for reputational services.
 48
 49### False positive analysis
 50
 51- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.
 52
 53### Response and remediation
 54
 55- Initiate the incident response process based on the outcome of the triage.
 56- Disable or limit the account during the investigation and response.
 57- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 58    - Identify the account role in the cloud environment.
 59    - Assess the criticality of affected services and servers.
 60    - Work with your IT team to identify and minimize the impact on users.
 61    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
 62    - Identify any regulatory or legal ramifications related to this activity.
 63- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
 64- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
 65- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
 66- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 67- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 68
 69## Setup
 70
 71The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 72
 73### Important Information Regarding Google Workspace Event Lag Times
 74- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
 75- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 76- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
 77- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 78- See the following references for further information:
 79  - https://support.google.com/a/answer/7061566
 80  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 81references = ["https://support.google.com/a/answer/2685650?hl=en"]
 82risk_score = 47
 83rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce"
 84severity = "medium"
 85tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"]
 86timestamp_override = "event.ingested"
 87type = "query"
 88
 89query = '''
 90event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING")
 91  and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE")
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1114"
 99name = "Email Collection"
100reference = "https://attack.mitre.org/techniques/T1114/"
101[[rule.threat.technique.subtechnique]]
102id = "T1114.003"
103name = "Email Forwarding Rule"
104reference = "https://attack.mitre.org/techniques/T1114/003/"
105
106
107
108[rule.threat.tactic]
109id = "TA0009"
110name = "Collection"
111reference = "https://attack.mitre.org/tactics/TA0009/"