2_ds_google_workspace.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login failed-app-login ↳u-google-auth-failed ↳cef-google-app-login file-delete ↳cef-google-file-activity ↳u-googledrive-file-activity file-permission-change ↳u-googledrive-file-permission-change ↳cef-google-file-activity file-read ↳cef-google-file-activity ↳u-googledrive-file-activity file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models
Data Access	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login failed-app-login ↳u-google-auth-failed ↳cef-google-app-login file-delete ↳cef-google-file-activity ↳u-googledrive-file-activity file-permission-change ↳u-googledrive-file-permission-change ↳cef-google-file-activity file-read ↳cef-google-file-activity ↳u-googledrive-file-activity file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1078 - Valid Accounts T1083 - File and Directory Discovery	44 Rules 24 Models
Data Leak	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 dlp-email-alert-out ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out dlp-email-alert-out-failed ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule	38 Rules 16 Models
Lateral Movement	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login failed-app-login ↳u-google-auth-failed ↳cef-google-app-login	T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Malware	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-out ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1003.002 - T1003.002 T1078 - Valid Accounts T1190 - Exploit Public Fasing Application T1505.003 - Server Software Component: Web Shell T1547.001 - T1547.001 TA0002 - TA0002	13 Rules 4 Models
Privilege Abuse	account-password-change ↳cef-google-password-update account-password-reset ↳cef-google-password-update app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-in dlp-email-alert-out ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out dlp-email-alert-out-failed ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out failed-app-login ↳u-google-auth-failed ↳cef-google-app-login file-delete ↳cef-google-file-activity ↳u-googledrive-file-activity file-download ↳cef-google-file-activity ↳u-googledrive-file-activity file-permission-change ↳u-googledrive-file-permission-change ↳cef-google-file-activity file-read ↳cef-google-file-activity ↳u-googledrive-file-activity file-upload ↳cef-google-file-activity ↳u-googledrive-file-activity file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	8 Rules 2 Models
Privilege Escalation	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Activity	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-in dlp-email-alert-out ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out dlp-email-alert-out-failed ↳cef-skyformation-gmail-out-1 ↳cef-skyformation-gmail-out failed-app-login ↳u-google-auth-failed ↳cef-google-app-login file-delete ↳cef-google-file-activity ↳u-googledrive-file-activity file-download ↳cef-google-file-activity ↳u-googledrive-file-activity file-permission-change ↳u-googledrive-file-permission-change ↳cef-google-file-activity file-read ↳cef-google-file-activity ↳u-googledrive-file-activity file-upload ↳cef-google-file-activity ↳u-googledrive-file-activity file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1078 - Valid Accounts	3 Rules 1 Models
Ransomware	app-activity ↳u-googlecalendar-app-activity ↳cef-google-app-activity-1 ↳cef-google-app-activity-2 ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login ↳cef-google-app-activity-4 ↳cef-google-app-activity-5 ↳cef-google-app-activity-7 app-login ↳cef-google-app-login-1 ↳u-google-auth-successful ↳u-google-app-login ↳cef-google-app-activity-3 ↳cef-google-app-activity-6 ↳cef-google-app-login failed-app-login ↳u-google-auth-failed ↳cef-google-app-login file-write ↳cef-google-file-activity ↳u-googledrive-file-activity	T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules