Skip to content

Commit 557870f

Browse files
patel-bhavinpatel-bhavin
committed
gws
1 parent 0b0ab0d commit 557870f

File tree

2 files changed

+87
-1
lines changed

2 files changed

+87
-1
lines changed

data_sources/google_workspace.yml

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,91 @@ supported_TA:
1111
url: https://splunkbase.splunk.com/app/5556
1212
version: 3.0.2
1313
fields:
14+
- action
15+
- actor.callerType
16+
- actor.email
17+
- actor.profileId
18+
- app
19+
- change_type
20+
- command
21+
- date_hour
22+
- date_mday
23+
- date_minute
24+
- date_month
25+
- date_second
26+
- date_wday
27+
- date_year
28+
- date_zone
29+
- dest
30+
- dest_name
31+
- dest_url
32+
- dvc
33+
- email
34+
- etag
35+
- event.name
36+
- event.parameters{}.name
37+
- event.parameters{}.value
38+
- event.type
39+
- eventtype
40+
- filter_action
41+
- host
42+
- id.applicationName
43+
- id.customerId
44+
- id.time
45+
- id.uniqueQualifier
46+
- index
47+
- internal_message_id
48+
- ipAddress
49+
- kind
50+
- linecount
51+
- message_id
52+
- object
53+
- object_attrs
54+
- object_category
55+
- object_id
56+
- object_path
57+
- owner
58+
- owner_email
59+
- protocol
60+
- punct
61+
- result
62+
- result_id
63+
- signature_extra
64+
- source
65+
- sourcetype
66+
- splunk_server
67+
- splunk_server_group
68+
- src
69+
- src_user
70+
- src_user_id
71+
- src_user_name
72+
- src_user_type
73+
- status
74+
- tag
75+
- tag::action
76+
- tag::app
77+
- tag::eventtype
78+
- tag::object_category
79+
- tenant_id
80+
- timeendpos
81+
- timestartpos
82+
- user
83+
- user_email
84+
- user_email_extracted
85+
- user_id
86+
- user_name
87+
- user_type
88+
- vendor_account
89+
- vendor_product
90+
- _bkt
91+
- _cd
92+
- _eventtype_color
93+
- _indextime
94+
- _raw
95+
- _serial
96+
- _si
97+
- _sourcetype
98+
- _subsecond
1499
- _time
15100
example_log: |-
101+
"kind": "admin#reports#activity", "id": {"time": "2022-10-12T18:00:23.093Z", "uniqueQualifier": "-7844406841853338111", "applicationName": "admin", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/afZBU3WDeiuPqFyleWyTnwyU3fE\"", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "100059258581444193973"}, "ipAddress": "22.33.111.55", "event": {"type": "USER_SETTINGS", "name": "UNENROLL_USER_FROM_STRONG_AUTH", "parameters": [{"name": "USER_EMAIL", "value": "[email protected]"}]}}

detections/cloud/gcp_multi_factor_authentication_disabled.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ description: The following analytic detects an attempt to disable multi-factor a
1414
layers, potentially leading to unauthorized access, data exfiltration, or further
1515
exploitation of the compromised account.
1616
data_source:
17-
- Google Workspace
17+
- Google Workspace
1818
search: '`gws_reports_admin` command=UNENROLL_USER_FROM_STRONG_AUTH | stats count
1919
min(_time) as firstTime max(_time) as lastTime by user, command, actor.email, status,
2020
id.applicationName, event.name, vendor_account, action | `security_content_ctime(firstTime)`

0 commit comments

Comments
 (0)