[New Rule] Google Workspace Resource Copied from External Drive

[terrancedejesus]

Issues

• https://github.com/elastic/security-team/issues/5915
• https://github.com/elastic/security-team/issues/5225

Summary

Detects when a user copies a Google spreadsheet, form, document or script from an external drive. An adversary may send
a phishing email to the victim with a Drive resource link where "copy" is included in the URI, thus copying the resource to
the victim's drive. If a container-bound script is attached to this resource, execution of the related code is done with the user's privileges via OAuth.

Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate
when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually
copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful
spreadsheet in a public drive, for example, and replicate it to their Drive.

Additional Information

• google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" was added to ensure this logic does not flag on internal resource copying which could be quite noisy. FYI, when sharing a resource typically a "share" link is created where edit or view is included in the URI. It is not common for copy to be in the URI unless manually created by the source.
• google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document") this was added to ensure we scope this down to only resources in Google Workspace that can have container-bound scripts.
• The query was made with EQL for future tuning where we can use document ID and create a sequence with Gmail logs if a user clicks on a link and then OAuth logs if permissions were granted, which increases efficacy for phishing. At the moment, this is a roadblock as the integration does not ingest OAuth or Gmail logs yet. Reference

Example Data

{
  "_index": ".ds-logs-google_workspace.drive-default-2023.02.20-000008",
  "_id": "v+hndSETObpuO0Fj6mJi1cN2th0=",
  "_score": 1,
  "fields": {
    "event.category": [
      "file"
    ],
    "elastic_agent.version": [
      "8.5.0"
    ],
    "google_workspace.drive.visibility": [
      "private"
    ],
    "source.user.email": [
      "user@dejesusarcheology.com"
    ],
    "cloud.availability_zone": [
      "us-east1-b"
    ],
    "source.user.name.text": [
      "user"
    ],
    "source.geo.region_name": [
      "International Waters"
    ],
    "google_workspace.drive.billable": [
      true
    ],
    "source.ip": [
      "2603:6010:ed00:b789:fd21:2bf0:7be1:d076"
    ],
    "agent.name": [
      "ubuntu-server-tdejesus"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "source.geo.region_iso_code": [
      "US-OH"
    ],
    "google_workspace.event.type": [
      "access"
    ],
    "event.kind": [
      "event"
    ],
    "google_workspace.drive.is_encrypted": [
      false
    ],
    "source.geo.city_name": [
      "Martins Ferry"
    ],
    "user.id": [
      "115903088752625509360"
    ],
    "google_workspace.drive.file.owner.email": [
      "user@dejesusarcheology.com"
    ],
    "input.type": [
      "httpjson"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "user"
    ],
    "tags": [
      "forwarded",
      "google-workspace-drive"
    ],
    "cloud.provider": [
      "gcp"
    ],
    "cloud.machine.type": [
      "e2-medium"
    ],
    "event.provider": [
      "drive"
    ],
    "google_workspace.drive.file.id": [
      "1HCNK0HeeLB_P4Ww_067OgmGdXndTDRHaZJD1qJCttX0"
    ],
    "cloud.service.name": [
      "GCE"
    ],
    "file.type": [
      "file"
    ],
    "agent.id": [
      "f4011165-a1b8-4d8e-b902-56ba8835cc28"
    ],
    "ecs.version": [
      "8.5.0"
    ],
    "event.created": [
      "2023-02-22T15:46:46.401Z"
    ],
    "organization.id": [
      "C00qtspd5"
    ],
    "file.owner": [
      "terrance"
    ],
    "agent.version": [
      "8.5.0"
    ],
    "google_workspace.drive.file.owner.is_shared_drive": [
      false
    ],
    "source.user.name": [
      "user"
    ],
    "google_workspace.drive.actor_is_collaborator_account": [
      false
    ],
    "source.as.number": [
      10796
    ],
    "google_workspace.drive.copy_type": [
      "external"
    ],
    "user.name": [
      "user"
    ],
    "source.geo.location": [
      {
        "coordinates": [
          -80.7747,
          40.0752
        ],
        "type": "Point"
      }
    ],
    "google_workspace.drive.primary_event": [
      true
    ],
    "cloud.instance.id": [
      "1709224677170316971"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "google_workspace"
    ],
    "related.ip": [
      "2603:6010:ed00:b789:fd21:2bf0:7be1:d076"
    ],
    "user.email": [
      "user@dejesusarcheology.com"
    ],
    "source.geo.country_iso_code": [
      "US"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "source.user.id": [
      "115903088752625509360"
    ],
    "user.domain": [
      "dejesusarcheology.com"
    ],
    "source.as.organization.name.text": [
      "TWC-10796-MIDWEST"
    ],
    "elastic_agent.id": [
      "f4011165-a1b8-4d8e-b902-56ba8835cc28"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "google_workspace.drive.owner_is_team_drive": [
      false
    ],
    "file.name": [
      "Copy of 2023 Taxes Template"
    ],
    "source.geo.continent_name": [
      "North America"
    ],
    "source.as.organization.name": [
      "TWC-10796-MIDWEST"
    ],
    "google_workspace.kind": [
      "admin#reports#activity"
    ],
    "event.ingested": [
      "2023-02-22T15:46:46Z"
    ],
    "event.action": [
      "copy"
    ],
    "@timestamp": [
      "2023-02-22T15:40:08.124Z"
    ],
    "cloud.account.id": [
      "elastic-security-dev"
    ],
    "google_workspace.drive.file.type": [
      "spreadsheet"
    ],
    "data_stream.dataset": [
      "google_workspace.drive"
    ],
    "source.user.domain": [
      "dejesusarcheology.com"
    ],
    "agent.ephemeral_id": [
      "41da8e24-c235-4d0f-87b8-760b1feffd7c"
    ],
    "source.geo.country_name": [
      "United States"
    ],
    "event.id": [
      "-1985698567073457394"
    ],
    "event.dataset": [
      "google_workspace.drive"
    ],
    "cloud.project.id": [
      "elastic-security-dev"
    ],
    "cloud.instance.name": [
      "ubuntu-server-tdejesus"
    ],
    "user.name.text": [
      "terrance"
    ]
  }
}

Screenshots

[brokensound77]

Are these fields new for a yet to be released integration version (or beats 8.8)? Why do they need to be added here

[brokensound77]

the example data is from 8.5. Do we just need to refresh the integrations and update beats?

[terrancedejesus]

I believe these were added when we did the integration validation PR. The GSuite integration was renamed to Google Workspace after 7.16. Therefore the rules in 7.16 failed unit tests as there is no gsuite integration to validate against nor is it available in EPR because of the rename. As a result, we needed to add this to the non-ecs file and let it backport to pass validation. @Mikaayenson is this correct?

Example: https://github.com/elastic/detection-rules/blob/7.16/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml

[terrancedejesus]

By the way, only the google_workspace* fields were added for this PR. They were not passing schema checks related to the query being EQL. I will have too dig deeper into this.

[terrancedejesus]

@brokensound77 So it looks like it HAS to be an ECS or Beats schema field, if not validation will fail because our logic is "valid ECS/Beats AND valid integration". If it were an OR, it would not find it in ECS/Beats but find it in the integrations schema next, therefore it had to be added to non-ecs file.

[DefSecSentinel]

LGTM!

[imays11]

Really cool rule and research