From b49e704d4f7c0cc6120cf3779cf86fae45b0d0a3 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Mon, 11 Dec 2023 15:31:04 +0200 Subject: [PATCH] Add references to rules (gsuite_activityevent_rules) --- .../google_workspace_admin_custom_role.yml | 1 + .../google_workspace_advanced_protection_program.yml | 1 + .../google_workspace_apps_marketplace_allowlist.yml | 1 + .../google_workspace_apps_marketplace_new_domain_application.yml | 1 + .../google_workspace_apps_new_mobile_app_installed.yml | 1 + .../gsuite_drive_many_docs_deleted.yml | 1 + .../gsuite_drive_many_docs_downloaded.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml b/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml index 8c42da68f..4e4c025ca 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Admin Custom Role" Enabled: true Filename: google_workspace_admin_custom_role.py Runbook: Please review this activity with the administrator and ensure this behavior was authorized. +Reference: https://support.google.com/a/answer/2406043?hl=en#:~:text=under%20the%20limit.-,Create%20a%20custom%20role,-Before%20you%20begin Severity: Medium Tags: - admin diff --git a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml index 08d698e7c..dc439e1a2 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Advanced Protection Program" Enabled: true Filename: google_workspace_advanced_protection_program.py Runbook: Confirm the changes made were authorized for your organization. +Reference: https://support.google.com/a/answer/9378686?hl=en Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml index 26e457e86..1c5f04a36 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace Allowlist" Enabled: true Filename: google_workspace_apps_marketplace_allowlist.py Runbook: Confirm with the acting user that this change was authorized. +Reference: https://support.google.com/a/answer/6089179?hl=en Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml index e4a18a462..298f5e88e 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace New Domain Application" Enabled: true Filename: google_workspace_apps_marketplace_new_domain_application.py Runbook: Confirm this was the intended behavior. +Reference: https://developers.google.com/workspace/marketplace/overview Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml index fb6bf1356..52d9d4a9c 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps New Mobile App Installed" Enabled: true Filename: google_workspace_apps_new_mobile_app_installed.py Runbook: https://admin.google.com/ac/apps/unified +Reference: https://support.google.com/a/answer/6089179?hl=en Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml index 1191c5b7a..252a796dc 100644 --- a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml +++ b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml @@ -3,6 +3,7 @@ Description: Scheduled rule for the GSuite Drive Many Documents Deleted query. L DisplayName: "GSuite Drive Many Documents Deleted" Enabled: true Filename: gsuite_drive_many_docs_deleted.py +Reference: https://support.google.com/drive/answer/2375102?hl=en&co=GENIE.Platform%3DAndroid#:~:text=To%20delete%20your%20Google%20Drive,them%20to%20empty%20your%20trash. Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml index a3038e507..225a14576 100644 --- a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml +++ b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml @@ -3,6 +3,7 @@ Description: Scheduled rule for the High Google Drive Download Count query which DisplayName: "Google Drive High Download Count" Enabled: true Filename: gsuite_drive_many_docs_downloaded.py +Reference: https://support.google.com/drive/answer/2423534?hl=en&co=GENIE.Platform%3DDesktop Severity: Medium Tests: - ExpectedResult: true