Sample rules
Application Removed from Blocklist in Google Workspace
- source: elastic
- technicques:
- T1562
Description
Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.
Detection logic
event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and
event.action:"CHANGE_APPLICATION_SETTING" and
google_workspace.admin.application.name:"Google Workspace Marketplace" and
google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*
Google Workspace Restrictions for Marketplace Modified to Allow Any App
- source: elastic
- technicques:
- T1562
Description
Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.
Detection logic
event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace"
and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL"