MFA Disabled for Google Workspace Organization
Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["google_workspace"]
4maturity = "production"
5min_stack_comments = "Breaking changes for Google Workspace integration."
6min_stack_version = "8.4.0"
7updated_date = "2023/04/12"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt
13to modify a password policy in order to weaken an organization’s security controls.
14"""
15false_positives = [
16 """
17 MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions
18 can be added to this rule to filter expected behavior.
19 """,
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "MFA Disabled for Google Workspace Organization"
27note = """## Setup
28
29The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
30
31### Important Information Regarding Google Workspace Event Lag Times
32- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
33- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
34- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
35- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
36- See the following references for further information:
37 - https://support.google.com/a/answer/7061566
38 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
39risk_score = 47
40rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827"
41severity = "medium"
42tags = [
43 "Elastic",
44 "Cloud",
45 "Google Workspace",
46 "Continuous Monitoring",
47 "SecOps",
48 "Identity and Access",
49 "Persistence",
50]
51timestamp_override = "event.ingested"
52type = "query"
53
54query = '''
55event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1556"
63name = "Modify Authentication Process"
64reference = "https://attack.mitre.org/techniques/T1556/"
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Important Information Regarding Google Workspace Event Lag Times
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default,
var.interval
is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: