Google chrome pack (demisto#27619)

* Create pack for google chrome. * New pack for GoogleChrome * Remove author image. * modify googlechrome modeling rule * Adding parsing rule * Added fields to schema * Added readme content * Creating dashboard for google chrome pack, and modifying the schema file * Added correlation rules * Fix correlation rules and fix product in parsing rule. * Added correlation rule. * Updated yml file of parsing rule * Updated dashboard file. * Add from version to dashboard. * Changed rule xif * Changed the from version for modeling and parsing yml * Added fromversion: 6.10.0 to the correlation rules and fixed the naming convention of the rules files * Modified the parsing rules. * Add tags to readme file. * Updated the version of the yml file of the rules, the version of the correlation rules and the version of the dashboard * Updated the version of the yml file of the rules, the version of the correlation rules and the version of the dashboard * updated google chrome dashboard * Update Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml Co-authored-by: ShirleyDenkberg <[email protected]> * updated google chrome dashboard and reademe. * Modified the correlation rules. * Added fromversion: 8.4.0 to correlation rules * Fixed issue with parsing rule. --------- Co-authored-by: ShirleyDenkberg <[email protected]>
VirusTotal · Nov 9, 2023 · 95eb285 · 95eb285
1 parent f0d52dd
commit 95eb285
Show file tree

Hide file tree

Showing 15 changed files with 1,777 additions and 0 deletions.
diff --git a/Packs/GoogleChrome/.pack-ignore b/Packs/GoogleChrome/.pack-ignore
diff --git a/Packs/GoogleChrome/.secrets-ignore b/Packs/GoogleChrome/.secrets-ignore
diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml
@@ -0,0 +1,38 @@
+alert_category: PERSISTENCE
+alert_description: The extension $xdm.target.resource.name was installed on $xdm.source.host.hostname
+  by $xdm.intermediate.user.username
+alert_fields:
+  actor_effective_username: xdm.source.user.username
+  agent_hostname: xdm.source.host.hostname
+  user_agent: xdm.source.user_agent
+alert_name: Chrome - Chrome Extension Install Event
+crontab: null
+dataset: alerts
+description: This rule alerts on any installation of a browser extension
+drilldown_query_timeframe: ALERT
+execution_mode: REAL_TIME
+global_rule_id: 6530cad5-856d-4d38-b305-63b9567d4c48
+investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\
+  \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type in\
+  \ (\"BROWSER_EXTENSION_INSTALL\")\n| filter xdm.intermediate.user.username = $xdm.intermediate.user.username\
+  \ and xdm.source.host.hostname = $xdm.source.host.hostname and xdm.target.resource.name\
+  \ = $xdm.target.resource.name"
+mapping_strategy: CUSTOM
+mitre_defs:
+  TA0003 - Persistence:
+  - T1176 - Browser Extensions
+name: Chrome - Chrome Extension Install Event
+search_window: null
+severity: SEV_020_LOW
+suppression_duration: 1 hours
+suppression_enabled: true
+suppression_fields: xdm.intermediate.user.username|xdm.target.resource.name|xdm.source.host.hostname|xdm.source.user.username
+user_defined_category: null
+user_defined_severity: null
+xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\
+  \ = \"Workspace Chrome\"\n| filter xdm.event.type in (\"BROWSER_EXTENSION_INSTALL\"\
+  )\n| fields xdm.event.type, xdm.observer.action, xdm.event.description, xdm.event.outcome_reason,\
+  \ xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname,\
+  \ xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.source.user_agent,\
+  \ xdm.target.resource.name, xdm.target.resource.id"
+fromversion: 8.4.0
diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malicious_Site_Visit.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malicious_Site_Visit.yml
@@ -0,0 +1,41 @@
+alert_category: EXECUTION
+alert_description: Unsafe site $xdm.network.http.url was visited by $xdm.source.user.username
+  via chrome profile $xdm.intermediate.user.username.
+alert_fields:
+  action_file_name: xdm.target.resource.name
+  actor_effective_username: xdm.source.user.username
+  agent_hostname: xdm.source.host.hostname
+  fw_url_domain: xdm.network.http.url
+  hostriskreasons: xdm.event.outcome_reason
+  user_agent: xdm.source.user_agent
+alert_name: Chrome - Known Malicious Site Visit
+crontab: null
+dataset: alerts
+description: This rule alerts on events related to bad navigation, that resulted
+  in bypass action.
+drilldown_query_timeframe: ALERT
+execution_mode: REAL_TIME
+global_rule_id: 5fa4d7d2-3b4c-4876-bc0f-b170fa49afe6
+investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\
+  \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type in\
+  \ (\"UNSAFE_SITE_VISIT\") and xdm.observer.action = \"BYPASSED\"\n| filter xdm.source.user.username\
+  \ = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username\
+  \ and xdm.network.http.url = $xdm.network.http.url and xdm.source.host.hostname\
+  \ = $xdm.source.host.hostname"
+mapping_strategy: CUSTOM
+mitre_defs: {}
+name: Chrome - Known Malicious Site Visit
+search_window: null
+severity: SEV_030_MEDIUM
+suppression_duration: 1 hours
+suppression_enabled: true
+suppression_fields: xdm.network.http.url|xdm.source.host.hostname|xdm.source.user.username|xdm.intermediate.user.username
+user_defined_category: null
+user_defined_severity: null
+xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\
+  \ = \"Workspace Chrome\"\n| filter xdm.event.type in (\"UNSAFE_SITE_VISIT\") and\
+  \ xdm.observer.action = \"BYPASSED\"\n| fields xdm.event.type, xdm.event.description,\
+  \ xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username,\
+  \ xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser,\
+  \ xdm.network.http.url, xdm.source.user_agent, xdm.target.resource.name, xdm.target.resource.id"
+fromversion: 8.4.0
diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malware_Downloaded.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malware_Downloaded.yml
@@ -0,0 +1,41 @@
+alert_category: EXECUTION
+alert_description: User $xdm.source.user.username downloaded the file $xdm.target.file.filename
+  via chrome profile $$xdm.intermediate.user.username on $xdm.source.host.hostname.
+alert_fields:
+  action_file_name: xdm.target.file.filename
+  actor_effective_username: xdm.source.user.username
+  agent_hostname: xdm.source.host.hostname
+  fw_url_domain: xdm.network.http.url
+  user_agent: xdm.source.user_agent
+alert_name: Chrome - Known Malware Downloaded
+crontab: null
+dataset: alerts
+description: This rule alerts on dangerous file download.
+drilldown_query_timeframe: ALERT
+execution_mode: REAL_TIME
+global_rule_id: 8c9024e2-3d25-471a-a7de-938335c1a38d
+investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\
+  \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type = \"\
+  MALWARE_TRANSFER\" and xdm.observer.action = \"BYPASSED\"\n| filter xdm.source.user.username\
+  \ = $xdm.source.user.username and xdm.source.host.hostname = $xdm.source.host.hostname\
+  \ and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.target.file.filename\
+  \ = $xdm.target.file.filename"
+mapping_strategy: CUSTOM
+mitre_defs:
+  TA0002 - Execution:
+  - 'T1204.002 - User Execution: Malicious File'
+name: Chrome - Known Malware Downloaded
+search_window: null
+severity: SEV_030_MEDIUM
+suppression_duration: 1 hours
+suppression_enabled: true
+suppression_fields: xdm.target.file.filename|xdm.source.user.username|xdm.source.host.hostname|xdm.intermediate.user.username
+user_defined_category: null
+user_defined_severity: null
+xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\
+  \ = \"Workspace Chrome\"\n| filter xdm.event.type = \"MALWARE_TRANSFER\" and xdm.observer.action\
+  \ = \"BYPASSED\"\n| fields xdm.event.type, xdm.event.description, xdm.observer.action,\
+  \ xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username,\
+  \ xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser,\
+  \ xdm.network.http.url, xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size"
+fromversion: 8.4.0
diff --git a/...eChrome/CorrelationRules/GoogleChrome_-_User_Phished_or_Password_Re-useorBreach_event.yml b/...eChrome/CorrelationRules/GoogleChrome_-_User_Phished_or_Password_Re-useorBreach_event.yml
@@ -0,0 +1,46 @@
+alert_category: INFILTRATION
+alert_description: The user $xdm.source.user.username had $xdm.event.type event
+  via $xdm.intermediate.user.username chrome profile, which resulted in $xdm.observer.action.
+alert_fields:
+  action_file_name: xdm.target.file.filename
+  actor_effective_username: xdm.source.user.username
+  agent_hostname: xdm.source.host.hostname
+  fw_url_domain: xdm.network.http.url
+  user_agent: xdm.source.user_agent
+alert_name: Chrome - User Phished and/or Password Re-use/Breach event
+crontab: null
+dataset: alerts
+description: This rule alerts on events related to bad navigation via social engineering
+  or password reuse/breach, that resulted in bypass action.
+drilldown_query_timeframe: ALERT
+execution_mode: REAL_TIME
+global_rule_id: 5e5feef6-08b3-482d-940f-9303ac6bee2d
+investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\
+  \ and xdm.observer.product = \"Workspace Chrome\"\n| filter (xdm.event.type in\
+  \ (\"UNSAFE_SITE_VISIT\") and xdm.observer.action = \"BYPASSED\" and xdm.event.description\
+  \ contains \"SOCIAL_ENGINEERING\") or (xdm.event.type in (\"PASSWORD_BREACH\"\
+  , \"PASSWORD_REUSE\"))\n| filter xdm.source.user.username = $xdm.source.user.username\
+  \ and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.source.host.hostname\
+  \ = $xdm.source.host.hostname"
+mapping_strategy: CUSTOM
+mitre_defs:
+  TA0001 - Initial Access:
+  - T1566 - Phishing
+  - T1078 - Valid Accounts
+name: Chrome - User Phished and/or Password Re-use/Breach event
+search_window: null
+severity: SEV_030_MEDIUM
+suppression_duration: 1 hours
+suppression_enabled: true
+suppression_fields: xdm.source.host.hostname|xdm.source.user.username|xdm.intermediate.user.username|xdm.event.type|xdm.network.http.url
+user_defined_category: null
+user_defined_severity: null
+xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\
+  \ = \"Workspace Chrome\"\n| filter (xdm.event.type in (\"UNSAFE_SITE_VISIT\")\
+  \ and xdm.observer.action = \"BYPASSED\" and xdm.event.description contains \"\
+  SOCIAL_ENGINEERING\") or (xdm.event.type in (\"PASSWORD_BREACH\", \"PASSWORD_REUSE\"\
+  ))\n| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason,\
+  \ xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname,\
+  \ xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url,\
+  \ xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size"
+fromversion: 8.4.0
diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.xif b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.xif
@@ -0,0 +1,26 @@
+[MODEL: dataset = google_workspace_chrome_raw]
+// Extracting fields
+alter
+        device_platform = lowercase(parameters -> DEVICE_PLATFORM),
+        url_category = uppercase(parameters -> URL_CATEGORY)
+// Mapping to xdm fields
+| alter
+        xdm.event.type = events -> name,
+        xdm.event.description = parameters -> EVENT_REASON,
+        xdm.event.outcome_reason = parameters -> TRIGGER_TYPE,
+        xdm.source.host.device_id = parameters -> DEVICE_ID,
+        xdm.source.host.hostname = parameters -> DEVICE_NAME,
+        xdm.source.host.os_family = if(device_platform contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, device_platform contains "mac", XDM_CONST.OS_FAMILY_MACOS, device_platform contains "linux", XDM_CONST.OS_FAMILY_LINUX, device_platform contains "android", XDM_CONST.OS_FAMILY_ANDROID, device_platform contains "ios", XDM_CONST.OS_FAMILY_IOS, device_platform contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, device_platform contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, device_platform contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, device_platform contains "centos", XDM_CONST.OS_FAMILY_CENTOS, device_platform contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, device_platform contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, device_platform contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(device_platform)),
+        xdm.source.host.os = parameters -> DEVICE_PLATFORM,
+        xdm.network.http.browser = concat(parameters -> CLIENT_TYPE, " ", parameters -> BROWSER_VERSION),
+        xdm.source.user.username = lowercase(parameters -> DEVICE_USER),
+        xdm.intermediate.user.username = lowercase(parameters -> PROFILE_USER_NAME),
+        xdm.observer.action = parameters -> EVENT_RESULT,
+        xdm.network.http.url = parameters -> URL,
+        xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, to_string(url_category)),
+        xdm.source.user_agent = parameters -> USER_AGENT,
+        xdm.target.resource.name = parameters -> APP_NAME,
+        xdm.target.resource.id = parameters -> APP_ID,
+        xdm.target.file.filename = parameters -> CONTENT_NAME,
+        xdm.target.file.sha256 = parameters -> CONTENT_HASH,
+        xdm.target.file.size = to_integer(parametersint -> CONTENT_SIZE);
diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.yml b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.yml
@@ -0,0 +1,6 @@
+fromversion: 8.4.0
+id: Google_Chrome_ModelingRule
+name: Google Chrome Modeling Rule
+rules: ''
+schema: ''
+tags: Google Chrome
diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome_schema.json b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome_schema.json
@@ -0,0 +1,16 @@
+{
+    "google_workspace_chrome_raw": {
+        "events": {
+          "type": "string",
+          "is_array": false
+        },
+        "parameters": {
+          "type": "string",
+          "is_array": false
+        },
+        "parametersint": {
+          "type": "string",
+          "is_array": false
+        }
+    }
+}
diff --git a/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.xif b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.xif
@@ -0,0 +1,10 @@
+[INGEST:vendor="Google", product="Workspace Chrome", target_dataset="google_workspace_chrome_raw", no_hit = keep]
+// Creating json fields with the value of the events field, organized in a key - value format.
+alter events = events -> []
+| arrayexpand events
+| alter parameters = events -> parameters[]
+| alter parameters = arraymap(parameters ,concat("{","\"",json_extract_scalar("@element", "$.name"),"\"", ":", "\"",json_extract_scalar("@element", "$.value"),"\"", "}"))
+| alter parameters = replace(arraystring(parameters, ","),"},{", ",") -> {}
+| alter parametersint = events -> parameters[]
+| alter parametersint = arraymap(parametersint ,concat("{","\"",json_extract_scalar("@element", "$.name"),"\"", ":", "\"",json_extract_scalar("@element", "$.intValue"),"\"", "}"))
+| alter parametersint = replace(arraystring(parametersint, ","),"},{", ",") -> {};
diff --git a/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.yml b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.yml
@@ -0,0 +1,6 @@
+name: Google Chrome Parsing Rule
+id: Google_Chrome_ParsingRule
+fromversion: 8.4.0
+tags: []
+rules: ''
+samples: ''
diff --git a/Packs/GoogleChrome/README.md b/Packs/GoogleChrome/README.md
@@ -0,0 +1,9 @@
+<~XSIAM>
+# Google Chrome
+This pack includes Cortex XSIAM content.
+
+This pack is supported from Cortex XSIAM V2.0.
+
+## Collect Events from Vendor
+To configure the ingestion of data from Google Workspace, see the information [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-and-Data-from-Google-Workspace).
+</~XSIAM>