Detection rules › YARA-L
Google Workspace New Trusted Domain Added
Identifies when a domain is added to the list of trusted domains in Google Workspace. An adversary may attempt to manipulate sharing settings for trusted domains to gain unauthorized access to sensitive files and folders within an organization.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.007 Impair Defenses: Disable or Modify Cloud Firewall |
Event coverage
| Provider | Event | Title |
|---|---|---|
| GoogleWorkspace-admin | ADD_TRUSTED_DOMAINS | Add Trusted Domains |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule google_workspace_new_trusted_domain_added {
meta:
author = "Google Cloud Security"
description = "Identifies when a domain is added to the list of trusted domains in Google Workspace. An adversary may attempt to manipulate sharing settings for trusted domains to gain unauthorized access to sensitive files and folders within an organization."
rule_id = "mr_319d97c3-6f63-4a6c-9fab-e70cc3f03aaf"
rule_name = "Google Workspace New Trusted Domain Added"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Firewall"
mitre_attack_url = "https://attack.mitre.org/techniques/T1562/007/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "High"
priority = "High"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.product_event_type = "ADD_TRUSTED_DOMAINS"
outcome:
$risk_score = max(75)
$mitre_attack_tactic = "Defense Evasion"
$mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Firewall"
$mitre_attack_technique_id = "T1562.007"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$principal_user_id = array_distinct($ws.principal.user.userid)
$target_domain = $ws.target.domain.name
condition:
$ws
}
Detection logic
Fires when at least one $ws event.
Events
$ws
metadata.product_event_type = "ADD_TRUSTED_DOMAINS"
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | max(75) |
event_count | count_distinct($ws.metadata.id) |
principal_ip | array_distinct($ws.principal.ip) |
principal_country | array_distinct($ws.principal.ip_geo_artifact.location.country_or_region) |
principal_state | array_distinct($ws.principal.ip_geo_artifact.location.state) |
principal_user_emails | array_distinct($ws.principal.user.email_addresses) |
principal_user_id | array_distinct($ws.principal.user.userid) |
target_domain | $ws.target.domain.name |