Created
August 1, 2023 06:34
-
-
Save misje/3d9388a507b669cb068dc18a16a76412 to your computer and use it in GitHub Desktop.
Wazuh GCP rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <group name="gcp,google_workspace,"> | |
| <rule id="600500" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">BLOCKED</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">ADD</field> | |
| <description>$(data.gcp.protoPayload.metadata.membershipDelta.member) blocked from $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600501" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">BLOCKED</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">REMOVE</field> | |
| <description>$(data.gcp.protoPayload.metadata.membershipDelta.member) unblocked from $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600502" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">MEMBER</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">ADD</field> | |
| <description>$(gcp.protoPayload.metadata.membershipDelta.member) added to $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600503" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">MEMBER</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">REMOVE</field> | |
| <description>$(gcp.protoPayload.metadata.membershipDelta.member) removed from $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600504" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.loginSuccess$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) logged in</description> | |
| </rule> | |
| <rule id="600505" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.loginVerification$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) went through login verification</description> | |
| </rule> | |
| <rule id="600506" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.logout$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) logged out</description> | |
| </rule> | |
| <rule id="600507" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.removeGroupMember$</field> | |
| <description>User removed from a group by an administrator</description> | |
| </rule> | |
| <rule id="600508" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.addGroupMember$</field> | |
| <description>User added to a group by an administrator</description> | |
| </rule> | |
| <rule id="600509" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.recoveryEmailEdit$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) updated their recovery e-mail</description> | |
| </rule> | |
| <rule id="600510" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.2svEnroll$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) enrolled in two factor authentication</description> | |
| </rule> | |
| <rule id="600511" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.passwordEdit$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) updated their password</description> | |
| </rule> | |
| <rule id="600512" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.createUser$</field> | |
| <description>User created by administrator $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600513" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.emailLogSearch$</field> | |
| <description>E-mail log search accessed by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600514" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.downloadUserlistCsv$</field> | |
| <description>User list downloaded as CSV by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600515" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.loginFailure$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) failed to log in</description> | |
| </rule> | |
| <rule id="600516" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.changeGroupSetting$</field> | |
| <description>Group settings modified by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600517" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^CreateProject$</field> | |
| <description>Project created</description> | |
| </rule> | |
| <rule id="600518" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.recoveryPhoneEdit$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) updated their recovery phone number</description> | |
| </rule> | |
| <rule id="600519" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.addNickname$</field> | |
| <description>E-mail alias created for user by administrator $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600520" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.userLicenseAssignment$</field> | |
| <description>Licence assigned to user</description> | |
| </rule> | |
| <rule id="600521" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.alertCenterView$</field> | |
| <description>Alert centre viewed by administrator $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600522" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.loginChallenge$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) went through login challenge</description> | |
| </rule> | |
| <rule id="600523" level="7"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.login.LoginService.riskySensitiveActionAllowed$</field> | |
| <description>User $(gcp.protoPayload.authenticationInfo.principalEmail) allowed a risky sensitive action</description> | |
| </rule> | |
| <rule id="600524" level="7"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.changePassword$</field> | |
| <description>Password reset for user by administrator $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600525" level="7"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.admin.AdminService.changePasswordOnNextLogin$</field> | |
| <description>Password set to be changed on next login for user by administrator $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600526" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">MANAGER</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">ADD</field> | |
| <description>$(gcp.protoPayload.metadata.membershipDelta.member) set as manager for $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| <rule id="600527" level="3"> | |
| <if_sid>65042</if_sid> | |
| <field name="gcp.protoPayload.methodName">^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">MANAGER</field> | |
| <field name="gcp.protoPayload.metadata.membershipDelta.roleDeltas">REMOVE</field> | |
| <description>$(gcp.protoPayload.metadata.membershipDelta.member) removed as manager for $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)</description> | |
| </rule> | |
| </group> |
joostgrunwald
commented
Aug 28, 2023
65042
^google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership$
BLOCKED
ADD
$(data.gcp.protoPayload.metadata.membershipDelta.member) blocked from $(gcp.protoPayload.metadata.group) by $(gcp.protoPayload.authenticationInfo.principalEmail)
T1539
@misje I added Mitre attack, thanks for writing these
@joostgrunwald Fantastic! Much appreciated.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment