Add references to rules (gsuite_activityevent_rules)

panther-labs · Dec 12, 2023 · fa80bcb · fa80bcb
1 parent bfcf240
commit fa80bcb
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 0 deletions.
diff --git a/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml b/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml
@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Admin Custom Role"
 Enabled: true
 Filename: google_workspace_admin_custom_role.py
 Runbook: Please review this activity with the administrator and ensure this behavior was authorized.
+Reference: https://support.google.com/a/answer/2406043?hl=en#:~:text=under%20the%20limit.-,Create%20a%20custom%20role,-Before%20you%20begin
 Severity: Medium
 Tags:
     - admin

diff --git a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml
@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Advanced Protection Program"
 Enabled: true
 Filename: google_workspace_advanced_protection_program.py
 Runbook: Confirm the changes made were authorized for your organization.
+Reference: https://support.google.com/a/answer/9378686?hl=en
 Severity: Medium
 Tests:
     - ExpectedResult: false

diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml
@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace Allowlist"
 Enabled: true
 Filename: google_workspace_apps_marketplace_allowlist.py
 Runbook: Confirm with the acting user that this change was authorized.
+Reference: https://support.google.com/a/answer/6089179?hl=en
 Severity: Medium
 Tests:
     - ExpectedResult: false

diff --git a/...s/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml b/...s/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml
@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace New Domain Application"
 Enabled: true
 Filename: google_workspace_apps_marketplace_new_domain_application.py
 Runbook: Confirm this was the intended behavior.
+Reference: https://developers.google.com/workspace/marketplace/overview
 Severity: Medium
 Tests:
     - ExpectedResult: false

diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml
@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps New Mobile App Installed"
 Enabled: true
 Filename: google_workspace_apps_new_mobile_app_installed.py
 Runbook: https://admin.google.com/ac/apps/unified
+Reference: https://support.google.com/a/answer/6089179?hl=en
 Severity: Medium
 Tests:
     - ExpectedResult: true

diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml
@@ -3,6 +3,7 @@ Description: Scheduled rule for the GSuite Drive Many Documents Deleted query. L
 DisplayName: "GSuite Drive Many Documents Deleted"
 Enabled: true
 Filename: gsuite_drive_many_docs_deleted.py
+Reference: https://support.google.com/drive/answer/2375102?hl=en&co=GENIE.Platform%3DAndroid#:~:text=To%20delete%20your%20Google%20Drive,them%20to%20empty%20your%20trash.
 Severity: Medium
 Tests:
     - ExpectedResult: true

diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml
@@ -3,6 +3,7 @@ Description: Scheduled rule for the High Google Drive Download Count query which
 DisplayName: "Google Drive High Download Count"
 Enabled: true
 Filename: gsuite_drive_many_docs_downloaded.py
+Reference: https://support.google.com/drive/answer/2423534?hl=en&co=GENIE.Platform%3DDesktop
 Severity: Medium
 Tests:
     - ExpectedResult: true