From 3b13d5afbb2ee037bd81119283da577dee616a1f Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 28 May 2026 17:12:22 -0400 Subject: [PATCH 1/2] [Rule Tunings] GWS Rules w/ zero alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Shared tuning across four Google Workspace admin rules with zero fleet alert volume despite production maturity. All were validated in trade-lab with working queries. Common changes: - Scoped index to logs-google_workspace.admin-* - Removed unnecessary event.category / event.type - Added investigation fields - Updated investigation guides to align with highlighted fields and current Admin console paths ### Gmail routing rule — expanded scope and query (largest change): Previously matched only legacy custom mail routes (EMAIL_ROUTE, MESSAGE_SECURITY_RULE). Now covers the full Gmail admin collection surface: - Routing (UNIFIED_MAIL_ROUTING, legacy MESSAGE_SECURITY_RULE) — also deliver to, change envelope recipient - Recipient address map (ALIAS_TABLE) — forwarding by address mapping - Mail hosts / outbound gateway (EMAIL_ROUTE) - Query matches legacy (CREATE_GMAIL_SETTING / CHANGE_GMAIL_SETTING) and current (CREATE_APPLICATION_SETTING / CHANGE_APPLICATION_SETTING) audit actions, on setting.name or setting.metadata.rule.type. These values will likely change after the migration period ending Aug 2026, we'll need to reassess this rule to make sure the values still align. --- ...ustom_gmail_route_created_or_modified.toml | 80 +++++++++++++------ ...ed_from_blocklist_in_google_workspace.toml | 23 ++++-- ..._workspace_bitlocker_setting_disabled.toml | 24 ++++-- ...marketplace_modified_to_allow_any_app.toml | 26 ++++-- 4 files changed, 110 insertions(+), 43 deletions(-) diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index a0afd2e48de..4184c78c36f 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,51 +2,56 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/27" [rule] author = ["Elastic"] description = """ -Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route -for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to -capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, -all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and -outbound mail. +Detects when a Gmail routing, mail-forwarding, or custom mail-host setting is created or modified in Google Workspace. +Adversaries with administrative access can add Routing rules (also deliver to / change envelope recipient), recipient +address map forwarding, or mail hosts and outbound gateways to copy or redirect sensitive email for collection. """ false_positives = [ """ - Administrators may create custom email routes in Google Workspace based on organizational policies, administrative - preference or for security purposes regarding spam. + Administrators may create or change Gmail routing, dual-delivery, address maps, or mail hosts for migrations, + journaling, spam handling, or partner integrations. """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" -name = "Google Workspace Custom Gmail Route Created or Modified" +name = "Google Workspace Gmail Routing or Forwarding Rule Created or Modified" note = """## Triage and analysis -### Investigating Google Workspace Custom Gmail Route Created or Modified +### Investigating Google Workspace Gmail Routing or Forwarding Rule Created or Modified -Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts. +Gmail administrators can change where mail is delivered using several Admin console areas under Apps > Google Workspace > Gmail: -Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts. +- Routing — specialized rules (modify message, change route, also deliver to, change envelope recipient). Audit: `UNIFIED_MAIL_ROUTING` or `MESSAGE_SECURITY_RULE` (legacy); `google_workspace.admin.setting.metadata.rule.type` may repeat the legacy type on `RuleState` rows. +- Email forwarding using recipient address map — rewrite or forward by address mapping. Audit: `ALIAS_TABLE`. +- Hosts / Outbound gateway — custom SMTP routes. Audit: `EMAIL_ROUTE`. -This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients. +Google may emit multiple admin audit events per single save (legacy `CREATE_GMAIL_SETTING`, new `CREATE_APPLICATION_SETTING`, rule body, and rule enabled state). Expect duplicate documents at the same `@timestamp`; correlate on `user.name`, `google_workspace.admin.USER_DEFINED_SETTING_NAME` (rule id), and `event.id`. -#### Possible investigation steps +### Possible investigation steps -- Identify the user account that created the custom email route and verify that they should have administrative privileges. -- Review the added recipients from the custom email route and confidentiality of potential email contents. -- Identify the user account, then review `event.action` values for related activity within the last 48 hours. -- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`. -- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments. -- Identified URLs or attachments can be submitted to VirusTotal for reputational services. +- Identify the administrator (`user.name`, `user.email`) and confirm the change was authorized. +- In Admin console, review the rule matching `google_workspace.admin.USER_DEFINED_SETTING_NAME`: + - Routing (`UNIFIED_MAIL_ROUTING`, `MESSAGE_SECURITY_RULE`): Apps > Gmail > Routing + - Recipient address map (`ALIAS_TABLE`): Apps > Gmail > Default routing > Email forwarding using recipient address map + - Mail hosts / outbound gateway (`EMAIL_ROUTE`): Apps > Gmail > Hosts +- Map the alert to the admin area using `google_workspace.admin.setting.name` and `google_workspace.admin.setting.metadata.rule.type` +- Review whether the rule adds also deliver to, change envelope recipient, or routes to an external mail host or domain. +- Review related `event.action` values for the same administrator in the last 48 hours. +- If licensed for Gmail log events (BigQuery / Enterprise Plus), use Reporting > Audit and investigation > Gmail log events to confirm messages were delivered per the rule (`message_info.flattened_destinations`, `triggered_rule_info`). +- Submit suspicious URLs or attachments from affected mail to reputational services as needed. ### False positive analysis -- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements. +- Legitimate mail migrations, journaling, compliance archiving, and internal dual-delivery are common. +- Tune with exceptions for known administrator accounts, rule ids (`USER_DEFINED_SETTING_NAME`), or approved external domains. ### Response and remediation @@ -94,9 +99,35 @@ timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") - and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE") +data_stream.dataset:"google_workspace.admin" and event.action:( + "CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING" + or "CREATE_APPLICATION_SETTING" or "CHANGE_APPLICATION_SETTING" +) +and ( + google_workspace.admin.setting.name:( + "UNIFIED_MAIL_ROUTING" + or "ALIAS_TABLE" + or "EMAIL_ROUTE" + or "MESSAGE_SECURITY_RULE" + ) + or google_workspace.admin.setting.metadata.rule.type:( + "UNIFIED_MAIL_ROUTING" + or "ALIAS_TABLE" + or "EMAIL_ROUTE" + ) +) ''' +[rule.investigation_fields] +field_names = [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.setting.metadata.rule.type", + "google_workspace.admin.USER_DEFINED_SETTING_NAME", +] [[rule.threat]] @@ -116,4 +147,3 @@ reference = "https://attack.mitre.org/techniques/T1114/003/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 5f0f66f4cfa..34d71c75cc9 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/28" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -36,14 +36,15 @@ Google clearly states that they are not responsible for any Marketplace product This rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application. -#### Possible investigation steps +### Possible investigation steps - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. +- Review `google_workspace.admin.old_value` and `google_workspace.admin.new_value` to confirm the app moved from blocked to allowed and note the affected organizational unit (`google_workspace.admin.org_unit.name`). - This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace. - With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated. - After identifying the involved user account, review other potentially related events within the last 48 hours. - Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks. -- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`. +- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace apps > Apps list`. ### False positive analysis @@ -98,12 +99,24 @@ timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and +data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and google_workspace.admin.application.name:"Google Workspace Marketplace" and google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true* ''' +[rule.investigation_fields] +field_names = [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value", +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 7678e3819cb..b37dcc2f79e 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/27" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-130m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -34,12 +34,13 @@ Disabling Bitlocker on an endpoint decrypts data at rest and makes it accessible This rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints. -#### Possible investigation steps +### Possible investigation steps - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. +- Review `google_workspace.admin.org_unit.name`, `google_workspace.admin.setting.name`, and `google_workspace.admin.old_value` / `new_value` to confirm BitLocker was disabled and for which OU. - After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints. -- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert. - - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event. +- Review Admin and Device logs, filtering on the user email identified from the alert. +- Confirm the policy change under `Devices` (Windows device management) or the relevant Chrome/Windows endpoint settings area for the affected OU. ### False positive analysis @@ -93,10 +94,21 @@ timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) +data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker* ''' +[rule.investigation_fields] +field_names = [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value", +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index a9aedebc930..037bc4f6a96 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2026/04/10" +updated_date = "2026/05/28" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["filebeat-*", "logs-google_workspace*"] +index = ["filebeat-*", "logs-google_workspace.admin-*"] language = "kuery" license = "Elastic License v2" name = "Google Workspace Restrictions for Marketplace Modified to Allow Any App" @@ -37,9 +37,11 @@ Google clearly states that they are not responsible for any product on the Marke This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications. -#### Possible investigation steps +### Possible investigation steps - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. +- Confirm `google_workspace.admin.new_value` is `ALLOW_ALL` and review `google_workspace.admin.old_value` for the prior restriction. +- In the admin console, verify the change under `Apps > Google Workspace Marketplace apps` (global allowlist access setting). - This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace. - Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made. - The `google_workspace.admin.application.name` field will help identify what applications were added. @@ -50,9 +52,8 @@ This rule identifies when the global allow-all setting is enabled for Google Wor ### False positive analysis - Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace. -- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs. - - Follow up with the user who added the application to ensure this was intended. -- Verify the application identified has been assessed thoroughly by an administrator. +- Google Workspace administrators may intentionally enable allow-all marketplace access based on organizational needs. + - Follow up with the administrator who made the change to ensure this was intended. ### Response and remediation @@ -100,11 +101,22 @@ timestamp_override = "event.ingested" type = "query" query = ''' -data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) +data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace" and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL" ''' +[rule.investigation_fields] +field_names = [ + "source.ip", + "user.name", + "user.email", + "event.action", + "google_workspace.admin.org_unit.name", + "google_workspace.admin.setting.name", + "google_workspace.admin.old_value", + "google_workspace.admin.new_value", +] [[rule.threat]] framework = "MITRE ATT&CK" From e809cd0d60f5e2b4dfccf82780687bf9770649b1 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 28 May 2026 17:48:49 -0400 Subject: [PATCH 2/2] remove filebeat from Gmail Routing rule --- ...space_custom_gmail_route_created_or_modified.toml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 4184c78c36f..1285f9fd6b6 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -17,8 +17,8 @@ false_positives = [ journaling, spam handling, or partner integrations. """, ] -from = "now-130m" -index = ["filebeat-*", "logs-google_workspace.admin-*"] +from = "now-20m" +index = ["logs-google_workspace.admin-*"] interval = "10m" language = "kuery" license = "Elastic License v2" @@ -71,16 +71,14 @@ Google may emit multiple admin audit events per single save (legacy `CREATE_GMAI ## Setup -The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Google Workspace Fleet integration with the Admin data stream (`logs-google_workspace.admin-*`) is required for this rule. ### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. -- This rule is configured to run every 10 minutes with a lookback time of 130 minutes. -- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. -- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- This rule uses `timestamp_override = event.ingested` and is configured to run every 10 minutes with a lookback of 20 minutes, aligned with the integration's default Admin poll interval (`interval`: 15m) and lag time (`lag_time`: 3m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" + - https://www.elastic.co/docs/reference/integrations/google_workspace""" references = [ "https://support.google.com/a/answer/2685650?hl=en", "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",