Google Workspace Password Policy Modified

  1[metadata]
  2creation_date = "2020/11/17"
  3integration = ["google_workspace"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.4.0"
  7updated_date = "2023/04/12"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in
 13order to weaken an organization’s security controls.
 14"""
 15false_positives = [
 16    """
 17    Password policies may be modified by system administrators. Verify that the configuration change was expected.
 18    Exceptions can be added to this rule to filter expected behavior.
 19    """,
 20]
 21from = "now-130m"
 22index = ["filebeat-*", "logs-google_workspace*"]
 23interval = "10m"
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Google Workspace Password Policy Modified"
 27note = """## Triage and analysis
 28
 29### Investigating Google Workspace Password Policy Modified
 30
 31Google Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.
 32
 33Threat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.
 34
 35This rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.
 36
 37#### Possible investigation steps
 38
 39- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.
 40- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.
 41- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.
 42- After identifying the involved user, verify administrative privileges are scoped properly to change.
 43- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.
 44  - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.
 45
 46### False positive analysis
 47
 48- After identifying the user account that updated the password policy, verify whether the action was intentional.
 49- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.
 50- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.
 51
 52### Response and remediation
 53
 54- Initiate the incident response process based on the outcome of the triage.
 55- Consider resetting passwords for potentially affected users.
 56- Disable or limit the account during the investigation and response.
 57- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 58    - Identify the account role in the cloud environment.
 59    - Assess the criticality of affected services and servers.
 60    - Work with your IT team to identify and minimize the impact on users.
 61    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
 62    - Identify any regulatory or legal ramifications related to this activity.
 63- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
 64- Reactivate multi-factor authentication for the user.
 65- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
 66- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.
 67- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 68- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 69
 70## Setup
 71
 72The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.
 73
 74### Important Information Regarding Google Workspace Event Lag Times
 75- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.
 76- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
 77- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
 78- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 79- See the following references for further information:
 80  - https://support.google.com/a/answer/7061566
 81  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 82risk_score = 47
 83rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73"
 84severity = "medium"
 85tags = [
 86    "Domain: Cloud",
 87    "Data Source: Google Workspace",
 88    "Use Case: Identity and Access Audit",
 89    "Tactic: Persistence",
 90    "Resources: Investigation Guide"
 91]
 92timestamp_override = "event.ingested"
 93type = "query"
 94
 95query = '''
 96event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and
 97  event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and
 98  google_workspace.admin.setting.name:(
 99    "Password Management - Enforce strong password" or
100    "Password Management - Password reset frequency" or
101    "Password Management - Enable password reuse" or
102    "Password Management - Enforce password policy at next login" or
103    "Password Management - Minimum password length" or
104    "Password Management - Maximum password length"
105  )
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1098"
113name = "Account Manipulation"
114reference = "https://attack.mitre.org/techniques/T1098/"
115
116
117[rule.threat.tactic]
118id = "TA0003"
119name = "Persistence"
120reference = "https://attack.mitre.org/tactics/TA0003/"