wazuh
wazuh copied to clipboard
wazuh
Google Workspace/Google Suite integration
| Wazuh version | Component | Action type |
|---|---|---|
| - | Rules/Decoders | Improve |
Description
We should add support for Google Workspace (formerly Google Suite) logs.
Service
Offer official rules to manage Google Workspace log information.
Improvements
Current results
No Google Workspace rules or decoders.
Expected results
To be able to retrieve and analyze Google Workspace logs, raising alerts whenever it's needed.
Resources
Log source
Logs come from different sources, namely Workspace Enterprise Groups, Workspace Login Audit and Workspace Admin Activities (doc).
Log reference
Log examples
Example of an AuditLog object held in the protoPayload field of the log entry (see log format) (source).
{
"serviceName": string,
"methodName": string,
"resourceName": string,
"numResponseItems": string,
"status": {
object (Status)
},
"authenticationInfo": {
object (AuthenticationInfo)
},
"authorizationInfo": [
{
object (AuthorizationInfo)
}
],
"requestMetadata": {
object (RequestMetadata)
},
"request": {
object
},
"response": {
object
},
"metadata": {
object
},
"serviceData": {
"@type": string,
field1: ...,
...
}
}
I think that @dariommr could be able to help to identify which events related to Google Workspace/Google Suite we can get using the existing GCP integration.
Hi team,
Any news on that? Google Workspace's audit, security and other different type of logs are very relevant for an organization.
Thanks in advance!
We'd also be interested in this. Seems surprising that Google Workspace support doesn't come out of the box with Wazuh
This should be similar to Office 365 integration. The aim should be to gather information related to:
- User audit logs.
- Group audit logs.
- App audit logs.
- Gmail audit logs.
- Google drive audit logs.
- Others...
Very very interested in seeing this move forward. I've got multiple clients who would benefit from Google Workspace audit log SIEM visibility.
We'd also be interested in this. do you have any ETA for the same.
If any one create the decoder Please share with me
Thanks you
I think that @dariommr could be able to help to identify which events related to Google Workspace/Google Suite we can get using the existing GCP integration.
I've just set up the GCP integration, and I've shared the audit logs from Google Workspace with GCP. I've also created a sink using the gcloud console in the organisational context in order to gain access to the logs from workspace (apparently this is not possible from the web interface) to my pub/sub subscriber. I can see admin audit logs and login audit logs like the following in Wazuh:
- google.login.LoginService.2svEnroll
- google.login.LoginService.passwordEdit
- google.login.LoginService.loginVerification
- google.login.LoginService.loginSuccess
- google.login.LoginService.loginChallenge
- google.login.LoginService.riskySensitiveActionAllowed
- google.apps.cloudidentity.groups.v1.MembershipsService.UpdateMembership
- google.admin.AdminService.securityInvestigationQuery
- google.admin.AdminService.alertCenterView
- google.admin.AdminService.alertCenterListChange
- google.admin.AdminService.alertCenterListRelatedAlerts
- google.admin.AdminService.alertCenterListFeedback
This is probably not an exhaustive list since I've just enabled the extension, and Google probably lists all the events that it provides in its documentation. I think these (at least on the Business Starter plan) is pretty much all the logs I can get. It doesn't appear that Google Workspace allows forwarding audit logs for apps like Drive, Chat etc. to GCP. The link above specifies exactly which types of logs that can be forwarded. Are there other ways of accessing these audit logs that Wazuh could create an integration for?
The admin and login audit events are still pretty useful. The dashboard needs a serious update to make use of the data, however. This shouldn't be a big task, but I'm not sure how much of help I am, being mostly a Grafana user. I'll take a look. The current event columns are also not very useful for me for viewing the Workspace events.
I don't see any work done on rules for the admin/login events, so I'll probably start writing my own. The events show up, but I'd probably want descriptions and different alert levels.
I would just like to inform you that I now have access to a Google Workspace Business Standard licence (upgraded from the previous tier), and I've already created my own rules to match all events of interest (to me). Tell me if this is of interest.
Please share. I want it.
On Friday, 2 June 2023, Ken Fredericksen @.***> wrote:
@misje https://github.com/misje Those would be of interest to me. Please share.
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/10776#issuecomment-1573651141, or unsubscribe https://github.com/notifications/unsubscribe-auth/A72OHJHEMUG4XQNTUMUHGRDXJHLM7ANCNFSM5HTFDWFQ . You are receiving this because you commented.Message ID: @.***>
Hello, also please share with me
Sent from Yahoo Mail for iPhone
On Saturday, June 3, 2023, 12:27 AM, captainido @.***> wrote:
Please share. I want it.
On Friday, 2 June 2023, Ken Fredericksen @.***> wrote:
@misje https://github.com/misje Those would be of interest to me. Please share.
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/10776#issuecomment-1573651141, or unsubscribe https://github.com/notifications/unsubscribe-auth/A72OHJHEMUG4XQNTUMUHGRDXJHLM7ANCNFSM5HTFDWFQ . You are receiving this because you commented.Message ID: @.***>
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>
Can you share with me please?
On Friday, 2 June 2023, Andreas Misje @.***> wrote:
I would just like to inform you that I now have access to a Google Workspace Business Standard licence (upgraded from the previous tier), and I've already created my own rules to match all events of interest (to me). Tell me if this is of interest.
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/10776#issuecomment-1573462618, or unsubscribe https://github.com/notifications/unsubscribe-auth/A72OHJHOET5UI6QONNMEGODXJGZVDANCNFSM5HTFDWFQ . You are receiving this because you commented.Message ID: @.***>
Looking forward to this! @misje could you share Google Workspace integration with me? :)
@misje can you share your steps on how to integrate please?, thanks
all the love
@misje
As a fellow user of Google Workspace, I have recently had the opportunity to implement Wazuh into our organization and I must say it has been quite beneficial so far. I am also looking for integration of Google Workspace in Wazuh with your assistance.
I've also ended up writing rules myself. It's not that difficult. Would anybody be willing to pay for them?
@Nexus2k
Some of us may well be interested. Share out a list of your custom Google Workspace Wazuh rule descriptions to demonstrate the scope of your work, and you may well get some offers.
Thanks, Kevin
Sorry for the delay, I've been focusing on other priorities.
Here are examples of how some of the many available Google Workspace audit rules available through cloud audit logs. I have only bothered to write rules for some of those I've actually seen in my system, and I haven't got around to add fields like mitre, gdpr, nist etc. Hardly any rule levels have been tuned to something other than 3. Also note that the rule IDs are outside of the recommended range by Wazuh, but they also do not conflict with any existing IDs.
There is much work to be done, and the rules would be far more useful if Wazuh supported accessing nested JSON data. I believe this feature is blocked by a rewrite of the rule engine?
If anyone is interested in a collective effort on working on these rules, I'll probably be interested in continuing working on them!
Hi @misje, does the integration works on the starter plan or the standard plan is required? Is it possible to track SSO with google account? Do you think it is feasible to add DLP rules inside for mail content?
@misje I left a comment adding a MITRE Attack technique to them :) thanks for creating the rules
We're testing out Wazuh and a Google Workspace integration is one of the main things we would need, is there any update on when this may happen? GWS is one of the most used apps for business now so it's kinda weird that this isn't prioritized more.
Hi @misje, does the integration works on the starter plan or the standard plan is required? Is it possible to track SSO with google account? Do you think it is feasible to add DLP rules inside for mail content?
I'm sorry it took so long for me to get back to you. It appears that Business Standard doesn't give you any additional audit events (through GCP pub–sub) compared to Business Starter. There may be additional auditing features, but none will reach Wazuh, unfortunately. This all means that the lower-tier Google Workspace "Business Starter" works just as well as the next tier in terms of Wazuh/GCP logging.
For specific auditing needs, please check my link on what's available, and add missing rules.