diff --git a/Packs/GoogleChrome/.pack-ignore b/Packs/GoogleChrome/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GoogleChrome/.secrets-ignore b/Packs/GoogleChrome/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml new file mode 100644 index 000000000000..a5f14a6fa6ca --- /dev/null +++ b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Chrome_Extension_Install_Event.yml @@ -0,0 +1,38 @@ +alert_category: PERSISTENCE +alert_description: The extension $xdm.target.resource.name was installed on $xdm.source.host.hostname + by $xdm.intermediate.user.username +alert_fields: + actor_effective_username: xdm.source.user.username + agent_hostname: xdm.source.host.hostname + user_agent: xdm.source.user_agent +alert_name: Chrome - Chrome Extension Install Event +crontab: null +dataset: alerts +description: This rule alerts on any installation of a browser extension +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: 6530cad5-856d-4d38-b305-63b9567d4c48 +investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\ + \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type in\ + \ (\"BROWSER_EXTENSION_INSTALL\")\n| filter xdm.intermediate.user.username = $xdm.intermediate.user.username\ + \ and xdm.source.host.hostname = $xdm.source.host.hostname and xdm.target.resource.name\ + \ = $xdm.target.resource.name" +mapping_strategy: CUSTOM +mitre_defs: + TA0003 - Persistence: + - T1176 - Browser Extensions +name: Chrome - Chrome Extension Install Event +search_window: null +severity: SEV_020_LOW +suppression_duration: 1 hours +suppression_enabled: true +suppression_fields: xdm.intermediate.user.username|xdm.target.resource.name|xdm.source.host.hostname|xdm.source.user.username +user_defined_category: null +user_defined_severity: null +xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\ + \ = \"Workspace Chrome\"\n| filter xdm.event.type in (\"BROWSER_EXTENSION_INSTALL\"\ + )\n| fields xdm.event.type, xdm.observer.action, xdm.event.description, xdm.event.outcome_reason,\ + \ xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname,\ + \ xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.source.user_agent,\ + \ xdm.target.resource.name, xdm.target.resource.id" +fromversion: 8.4.0 diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malicious_Site_Visit.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malicious_Site_Visit.yml new file mode 100644 index 000000000000..da58a4aaddec --- /dev/null +++ b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malicious_Site_Visit.yml @@ -0,0 +1,41 @@ +alert_category: EXECUTION +alert_description: Unsafe site $xdm.network.http.url was visited by $xdm.source.user.username + via chrome profile $xdm.intermediate.user.username. +alert_fields: + action_file_name: xdm.target.resource.name + actor_effective_username: xdm.source.user.username + agent_hostname: xdm.source.host.hostname + fw_url_domain: xdm.network.http.url + hostriskreasons: xdm.event.outcome_reason + user_agent: xdm.source.user_agent +alert_name: Chrome - Known Malicious Site Visit +crontab: null +dataset: alerts +description: This rule alerts on events related to bad navigation, that resulted + in bypass action. +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: 5fa4d7d2-3b4c-4876-bc0f-b170fa49afe6 +investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\ + \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type in\ + \ (\"UNSAFE_SITE_VISIT\") and xdm.observer.action = \"BYPASSED\"\n| filter xdm.source.user.username\ + \ = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username\ + \ and xdm.network.http.url = $xdm.network.http.url and xdm.source.host.hostname\ + \ = $xdm.source.host.hostname" +mapping_strategy: CUSTOM +mitre_defs: {} +name: Chrome - Known Malicious Site Visit +search_window: null +severity: SEV_030_MEDIUM +suppression_duration: 1 hours +suppression_enabled: true +suppression_fields: xdm.network.http.url|xdm.source.host.hostname|xdm.source.user.username|xdm.intermediate.user.username +user_defined_category: null +user_defined_severity: null +xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\ + \ = \"Workspace Chrome\"\n| filter xdm.event.type in (\"UNSAFE_SITE_VISIT\") and\ + \ xdm.observer.action = \"BYPASSED\"\n| fields xdm.event.type, xdm.event.description,\ + \ xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username,\ + \ xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser,\ + \ xdm.network.http.url, xdm.source.user_agent, xdm.target.resource.name, xdm.target.resource.id" +fromversion: 8.4.0 \ No newline at end of file diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malware_Downloaded.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malware_Downloaded.yml new file mode 100644 index 000000000000..7ea7f6518bc5 --- /dev/null +++ b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_Known_Malware_Downloaded.yml @@ -0,0 +1,41 @@ +alert_category: EXECUTION +alert_description: User $xdm.source.user.username downloaded the file $xdm.target.file.filename + via chrome profile $$xdm.intermediate.user.username on $xdm.source.host.hostname. +alert_fields: + action_file_name: xdm.target.file.filename + actor_effective_username: xdm.source.user.username + agent_hostname: xdm.source.host.hostname + fw_url_domain: xdm.network.http.url + user_agent: xdm.source.user_agent +alert_name: Chrome - Known Malware Downloaded +crontab: null +dataset: alerts +description: This rule alerts on dangerous file download. +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: 8c9024e2-3d25-471a-a7de-938335c1a38d +investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\ + \ and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type = \"\ + MALWARE_TRANSFER\" and xdm.observer.action = \"BYPASSED\"\n| filter xdm.source.user.username\ + \ = $xdm.source.user.username and xdm.source.host.hostname = $xdm.source.host.hostname\ + \ and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.target.file.filename\ + \ = $xdm.target.file.filename" +mapping_strategy: CUSTOM +mitre_defs: + TA0002 - Execution: + - 'T1204.002 - User Execution: Malicious File' +name: Chrome - Known Malware Downloaded +search_window: null +severity: SEV_030_MEDIUM +suppression_duration: 1 hours +suppression_enabled: true +suppression_fields: xdm.target.file.filename|xdm.source.user.username|xdm.source.host.hostname|xdm.intermediate.user.username +user_defined_category: null +user_defined_severity: null +xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\ + \ = \"Workspace Chrome\"\n| filter xdm.event.type = \"MALWARE_TRANSFER\" and xdm.observer.action\ + \ = \"BYPASSED\"\n| fields xdm.event.type, xdm.event.description, xdm.observer.action,\ + \ xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username,\ + \ xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser,\ + \ xdm.network.http.url, xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size" +fromversion: 8.4.0 \ No newline at end of file diff --git a/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_User_Phished_or_Password_Re-useorBreach_event.yml b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_User_Phished_or_Password_Re-useorBreach_event.yml new file mode 100644 index 000000000000..de6f0cc23648 --- /dev/null +++ b/Packs/GoogleChrome/CorrelationRules/GoogleChrome_-_User_Phished_or_Password_Re-useorBreach_event.yml @@ -0,0 +1,46 @@ +alert_category: INFILTRATION +alert_description: The user $xdm.source.user.username had $xdm.event.type event + via $xdm.intermediate.user.username chrome profile, which resulted in $xdm.observer.action. +alert_fields: + action_file_name: xdm.target.file.filename + actor_effective_username: xdm.source.user.username + agent_hostname: xdm.source.host.hostname + fw_url_domain: xdm.network.http.url + user_agent: xdm.source.user_agent +alert_name: Chrome - User Phished and/or Password Re-use/Breach event +crontab: null +dataset: alerts +description: This rule alerts on events related to bad navigation via social engineering + or password reuse/breach, that resulted in bypass action. +drilldown_query_timeframe: ALERT +execution_mode: REAL_TIME +global_rule_id: 5e5feef6-08b3-482d-940f-9303ac6bee2d +investigation_query_link: "datamodel \n| filter xdm.observer.vendor = \"Google\"\ + \ and xdm.observer.product = \"Workspace Chrome\"\n| filter (xdm.event.type in\ + \ (\"UNSAFE_SITE_VISIT\") and xdm.observer.action = \"BYPASSED\" and xdm.event.description\ + \ contains \"SOCIAL_ENGINEERING\") or (xdm.event.type in (\"PASSWORD_BREACH\"\ + , \"PASSWORD_REUSE\"))\n| filter xdm.source.user.username = $xdm.source.user.username\ + \ and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.source.host.hostname\ + \ = $xdm.source.host.hostname" +mapping_strategy: CUSTOM +mitre_defs: + TA0001 - Initial Access: + - T1566 - Phishing + - T1078 - Valid Accounts +name: Chrome - User Phished and/or Password Re-use/Breach event +search_window: null +severity: SEV_030_MEDIUM +suppression_duration: 1 hours +suppression_enabled: true +suppression_fields: xdm.source.host.hostname|xdm.source.user.username|xdm.intermediate.user.username|xdm.event.type|xdm.network.http.url +user_defined_category: null +user_defined_severity: null +xql_query: "datamodel \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product\ + \ = \"Workspace Chrome\"\n| filter (xdm.event.type in (\"UNSAFE_SITE_VISIT\")\ + \ and xdm.observer.action = \"BYPASSED\" and xdm.event.description contains \"\ + SOCIAL_ENGINEERING\") or (xdm.event.type in (\"PASSWORD_BREACH\", \"PASSWORD_REUSE\"\ + ))\n| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason,\ + \ xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname,\ + \ xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url,\ + \ xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size" +fromversion: 8.4.0 \ No newline at end of file diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.xif b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.xif new file mode 100644 index 000000000000..30b209316001 --- /dev/null +++ b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.xif @@ -0,0 +1,26 @@ +[MODEL: dataset = google_workspace_chrome_raw] +// Extracting fields +alter + device_platform = lowercase(parameters -> DEVICE_PLATFORM), + url_category = uppercase(parameters -> URL_CATEGORY) +// Mapping to xdm fields +| alter + xdm.event.type = events -> name, + xdm.event.description = parameters -> EVENT_REASON, + xdm.event.outcome_reason = parameters -> TRIGGER_TYPE, + xdm.source.host.device_id = parameters -> DEVICE_ID, + xdm.source.host.hostname = parameters -> DEVICE_NAME, + xdm.source.host.os_family = if(device_platform contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, device_platform contains "mac", XDM_CONST.OS_FAMILY_MACOS, device_platform contains "linux", XDM_CONST.OS_FAMILY_LINUX, device_platform contains "android", XDM_CONST.OS_FAMILY_ANDROID, device_platform contains "ios", XDM_CONST.OS_FAMILY_IOS, device_platform contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, device_platform contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, device_platform contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, device_platform contains "centos", XDM_CONST.OS_FAMILY_CENTOS, device_platform contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, device_platform contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, device_platform contains "scada", XDM_CONST.OS_FAMILY_SCADA, to_string(device_platform)), + xdm.source.host.os = parameters -> DEVICE_PLATFORM, + xdm.network.http.browser = concat(parameters -> CLIENT_TYPE, " ", parameters -> BROWSER_VERSION), + xdm.source.user.username = lowercase(parameters -> DEVICE_USER), + xdm.intermediate.user.username = lowercase(parameters -> PROFILE_USER_NAME), + xdm.observer.action = parameters -> EVENT_RESULT, + xdm.network.http.url = parameters -> URL, + xdm.network.http.url_category = if(url_category contains "ABORTION", XDM_CONST.URL_CATEGORY_ABORTION, url_category contains "DRUGS", XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, url_category contains "ADULT", XDM_CONST.URL_CATEGORY_ADULT, url_category contains "ALCOHOL" or url_category contains "TOBACCO", XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, url_category contains "AUCTIONS", XDM_CONST.URL_CATEGORY_AUCTIONS, url_category contains "BUSINESS" or url_category contains "ECONOMY", XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY, url_category contains "COMMAND AND CONTROL" or url_category contains "C&C", XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL, url_category contains "COMPUTER" or url_category contains "INTERNET", XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO, url_category contains "CONTENT DELIVERY NETWORKS" or url_category contains "CDN", XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS, url_category contains "COPYRIGHT", XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT, url_category contains "CRYPTO", XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY, url_category contains "DATING", XDM_CONST.URL_CATEGORY_DATING, url_category contains "DYNAMIC DNS", XDM_CONST.URL_CATEGORY_DYNAMIC_DNS, url_category contains "EDUCATIONAL INSTITUTIONS", XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS, url_category contains "ENTERTAINMENT" and url_category contains "ARTS", XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS, url_category contains "EXTREMISM", XDM_CONST.URL_CATEGORY_EXTREMISM, url_category contains "FINANCIAL" or url_category contains "FINANCE", XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES, url_category contains "GAMBLING", XDM_CONST.URL_CATEGORY_GAMBLING, url_category contains "GAMES", XDM_CONST.URL_CATEGORY_GAMES, url_category contains "GOVERNMENT", XDM_CONST.URL_CATEGORY_GOVERNMENT, url_category contains "GRAYWARE", XDM_CONST.URL_CATEGORY_GRAYWARE, url_category contains "HACKING", XDM_CONST.URL_CATEGORY_HACKING, url_category contains "HEALTH" or url_category contains "MEDICINE", XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE, url_category contains "HOME" or url_category contains "GARDEN", XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN, url_category contains "HUNTING" or url_category contains "FISHING", XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING, url_category contains "INSUFFICIENT CONTENT", XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT, url_category contains "INTERNET COMMUNICATIONS" and url_category contains "TELEPHONY", XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY, url_category contains "INTERNET PORTALS", XDM_CONST.URL_CATEGORY_INTERNET_PORTALS, url_category contains "JOB", XDM_CONST.URL_CATEGORY_JOB_SEARCH, url_category contains "LEGAL", XDM_CONST.URL_CATEGORY_LEGAL, url_category contains "MALWARE", XDM_CONST.URL_CATEGORY_MALWARE, url_category contains "MILITARY", XDM_CONST.URL_CATEGORY_MILITARY, url_category contains "MOTOR VEHICLES", XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES, url_category contains "MUSIC", XDM_CONST.URL_CATEGORY_MUSIC, url_category contains "DOMAIN" and url_category contains "REGIST", XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN, url_category contains "NEWS", XDM_CONST.URL_CATEGORY_NEWS, url_category contains "NOT RESOLVED", XDM_CONST.URL_CATEGORY_NOT_RESOLVED, url_category contains "NUDITY", XDM_CONST.URL_CATEGORY_NUDITY, url_category contains "ONLINE STORAGE" and url_category contains "BACKUP", XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP, url_category contains "PARKED", XDM_CONST.URL_CATEGORY_PARKED, url_category contains "PEER TO PEER", XDM_CONST.URL_CATEGORY_PEER_TO_PEER, url_category contains "PERSONAL SITES" or url_category contains "BLOG", XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS, url_category contains "PHILOSOPHY" or url_category contains "POLITICAL ADVOCACY", XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY, url_category contains "PHISHING", XDM_CONST.URL_CATEGORY_PHISHING, url_category contains "PRIVATE IP ADDRESSES", XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES, url_category contains "PROXY" or url_category contains "ANONYMIZERS", XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS, url_category contains "QUESTIONABLE", XDM_CONST.URL_CATEGORY_QUESTIONABLE, url_category contains "REAL ESTATE", XDM_CONST.URL_CATEGORY_REAL_ESTATE, url_category contains "HOBBIES" or url_category contains "RECREATION", XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES, url_category contains "REFERENCE", XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH, url_category contains "RELIGION", XDM_CONST.URL_CATEGORY_RELIGION, url_category contains "SEARCH ENGINES", XDM_CONST.URL_CATEGORY_SEARCH_ENGINES, url_category contains "SEX EDUCATION", XDM_CONST.URL_CATEGORY_SEX_EDUCATION, url_category contains "SHAREWARE" and url_category contains "FREEWARE", XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE, url_category contains "SHOPPING", XDM_CONST.URL_CATEGORY_SHOPPING, url_category contains "SOCIAL_NETWORK", XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING, url_category contains "SOCIETY", XDM_CONST.URL_CATEGORY_SOCIETY, url_category contains "SPORTS", XDM_CONST.URL_CATEGORY_SPORTS, url_category contains "STOCK", XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS, url_category contains "MEDIA" and url_category contains "STREAM", XDM_CONST.URL_CATEGORY_STREAMING_MEDIA, url_category contains "INTIMATE APPAREL", XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL, url_category contains "TRAINING" and url_category contains "Sport", XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS, url_category contains "TRANSLATION", XDM_CONST.URL_CATEGORY_TRANSLATION, url_category contains "TRAVEL", XDM_CONST.URL_CATEGORY_TRAVEL, url_category contains "UNKNOWN", XDM_CONST.URL_CATEGORY_UNKNOWN, url_category contains "WEAPONS", XDM_CONST.URL_CATEGORY_WEAPONS, url_category contains "WEB ADVERTISEMENTS", XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS, url_category contains "WEB HOSTING", XDM_CONST.URL_CATEGORY_WEB_HOSTING, url_category contains "WEB BASED EMAIL", XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL, to_string(url_category)), + xdm.source.user_agent = parameters -> USER_AGENT, + xdm.target.resource.name = parameters -> APP_NAME, + xdm.target.resource.id = parameters -> APP_ID, + xdm.target.file.filename = parameters -> CONTENT_NAME, + xdm.target.file.sha256 = parameters -> CONTENT_HASH, + xdm.target.file.size = to_integer(parametersint -> CONTENT_SIZE); \ No newline at end of file diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.yml b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.yml new file mode 100644 index 000000000000..95675ea0ebef --- /dev/null +++ b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome.yml @@ -0,0 +1,6 @@ +fromversion: 8.4.0 +id: Google_Chrome_ModelingRule +name: Google Chrome Modeling Rule +rules: '' +schema: '' +tags: Google Chrome \ No newline at end of file diff --git a/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome_schema.json b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome_schema.json new file mode 100644 index 000000000000..2be882ab4697 --- /dev/null +++ b/Packs/GoogleChrome/ModelingRules/GoogleChrome/GoogleChrome_schema.json @@ -0,0 +1,16 @@ +{ + "google_workspace_chrome_raw": { + "events": { + "type": "string", + "is_array": false + }, + "parameters": { + "type": "string", + "is_array": false + }, + "parametersint": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.xif b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.xif new file mode 100644 index 000000000000..e23d0e9f6af7 --- /dev/null +++ b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.xif @@ -0,0 +1,10 @@ +[INGEST:vendor="Google", product="Workspace Chrome", target_dataset="google_workspace_chrome_raw", no_hit = keep] +// Creating json fields with the value of the events field, organized in a key - value format. +alter events = events -> [] +| arrayexpand events +| alter parameters = events -> parameters[] +| alter parameters = arraymap(parameters ,concat("{","\"",json_extract_scalar("@element", "$.name"),"\"", ":", "\"",json_extract_scalar("@element", "$.value"),"\"", "}")) +| alter parameters = replace(arraystring(parameters, ","),"},{", ",") -> {} +| alter parametersint = events -> parameters[] +| alter parametersint = arraymap(parametersint ,concat("{","\"",json_extract_scalar("@element", "$.name"),"\"", ":", "\"",json_extract_scalar("@element", "$.intValue"),"\"", "}")) +| alter parametersint = replace(arraystring(parametersint, ","),"},{", ",") -> {}; \ No newline at end of file diff --git a/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.yml b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.yml new file mode 100644 index 000000000000..21d64c32cbb3 --- /dev/null +++ b/Packs/GoogleChrome/ParsingRules/GoogleChrome/GoogleChrome.yml @@ -0,0 +1,6 @@ +name: Google Chrome Parsing Rule +id: Google_Chrome_ParsingRule +fromversion: 8.4.0 +tags: [] +rules: '' +samples: '' \ No newline at end of file diff --git a/Packs/GoogleChrome/README.md b/Packs/GoogleChrome/README.md new file mode 100644 index 000000000000..8c963c85a4b4 --- /dev/null +++ b/Packs/GoogleChrome/README.md @@ -0,0 +1,9 @@ +<~XSIAM> +# Google Chrome +This pack includes Cortex XSIAM content. + +This pack is supported from Cortex XSIAM V2.0. + +## Collect Events from Vendor +To configure the ingestion of data from Google Workspace, see the information [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs-and-Data-from-Google-Workspace). + \ No newline at end of file diff --git a/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard.json b/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard.json new file mode 100644 index 000000000000..e5a4d0e4a07e --- /dev/null +++ b/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard.json @@ -0,0 +1,1520 @@ +{ + "dashboards_data": + [ + { + "name": "Chrome Security Dashboard", + "description": "This dashboard contains information about google chrome events.", + "status": "ENABLED", + "layout": + [ + { + "id": "row-1161", + "data": + [ + { + "key": "xql_1687700757907", + "data": + { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.event.type) as counts by xdm.event.type\n| view graph type = pie header = \"Security Events by Type\" xaxis = xdm.event.type yaxis = counts ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Type\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.event.type" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + } + ] + } + } + }, + { + "key": "xql_1687779507172", + "data": + { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n|filter xdm.event.type != \"\"\n| bin _time span = 24h\n| comp count() as count by _time\n| sort asc _time\n| view graph type = line xaxis = _time yaxis = count ", + "time_frame": + { + "relativeTime": 604800000 + }, + "viewOptions": + { + "type": "line", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "_time" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + } + ] + } + } + } + ] + }, + { + "id": "row-3172", + "data": + [ + { + "key": "xql_1687770114700", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.source.user.username != \"\"\n| filter xdm.source.user.username != \"-\"\n| comp values(xdm.source.user.username) as `DEVICE_USER` by xdm.source.host.hostname\n| filter DEVICE_USER != null", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "table", + "commands": + [] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + } + }, + { + "key": "xql_1687775796667", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.source.user.username) as counts by xdm.source.user.username\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Security Events by Device Users\" xaxis = xdm.source.user.username yaxis = counts default_limit = `false` ", + "time_frame": + { + "relativeTime": 604800000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Device Users\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.source.user.username" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "default_limit", + "value": "false" + } + } + ] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + } + }, + { + "key": "xql_1687769524281", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.intermediate.user.username) as counts by xdm.intermediate.user.username\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Security Events by Chrome Users\" xaxis = xdm.intermediate.user.username yaxis = counts default_limit = `false` ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Chrome Users\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.intermediate.user.username" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "default_limit", + "value": "false" + } + } + ] + } + } + } + ] + }, + { + "id": "row-4502", + "data": + [ + { + "key": "xql_1687770699313", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.event.description) as Security_Events by xdm.event.description\n| view graph type = column subtype = grouped header = \"Security Events by Reason\" show_callouts = `true` xaxis = xdm.event.description yaxis = Security_Events ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Reason\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.event.description" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "Security_Events" + } + } + ] + } + } + }, + { + "key": "xql_1687769763268", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.observer.action) by xdm.observer.action\n| view graph type = funnel header = \"Top Security event Actions\" show_callouts = `true` show_callouts_names = `true` xaxis = xdm.observer.action yaxis = count_1 ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "funnel", + "commands": + [ + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Top Security event Actions\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.observer.action" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count_1" + } + } + ] + } + } + }, + { + "key": "xql_1687768232236", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| alter domain = arrayindex(regextract(xdm.network.http.url, \"\\/\\/([^\\/:]+)\"),0)\n| filter domain != null\n| comp count(domain) as counts by domain\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Top URL Access\" show_callouts = `true` xaxis = domain yaxis = counts legend = `false` ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Top URL Access\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "domain" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "legend", + "value": "false" + } + } + ] + } + } + }, + { + "key": "xql_1687770576993", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type = \"BROWSER_EXTENSION_INSTALL\"\n| fields xdm.target.resource.name\n| top xdm.target.resource.name top_count as COUNTS \n| sort desc COUNTS", + "time_frame": + { + "relativeTime": 2592000000 + }, + "viewOptions": + { + "type": "table", + "commands": + [] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + } + } + ] + }, + { + "id": "row-1514", + "data": + [ + { + "key": "xql_1687774186800", + "data": + { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\"\n| comp count_distinct(xdm.source.user.username) as distinct_count\n| view graph type = single subtype = standard header = \"Unique Users with Security Events\" yaxis = distinct_count ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "single", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Unique Users with Security Events\"" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "distinct_count" + } + } + ] + } + } + }, + { + "key": "xql_1687778986988", + "data": + { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n|filter xdm.event.type != \"\" and xdm.network.http.browser != \"\"\n| top xdm.network.http.browser top_count as `COUNT`\n| view graph type = pie xaxis = xdm.network.http.browser yaxis = count legend_percentage = `true` seriestitle(\"count\",\" \") ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.network.http.browser" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + }, + { + "command": + { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": + { + "args": + [ + "count", + " " + ], + "name": "seriestitle" + } + } + ] + } + } + }, + { + "key": "xql_1687774861843", + "data": + { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\"\n| comp count_distinct(xdm.source.host.os) as distinct_count\n| view graph type = single subtype = standard header = \"Unique OSes with Security Events\" yaxis = distinct_count ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "single", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Unique OSes with Security Events\"" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "distinct_count" + } + } + ] + } + } + }, + { + "key": "xql_1687775123677", + "data": + { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 400, + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\" and xdm.source.host.os != \"\"\n| top xdm.source.host.os top_count as `COUNT`\n| view graph type = pie xaxis = xdm.source.host.os yaxis = count legend_percentage = `true` seriestitle(\"count\",\" \") ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.source.host.os" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + }, + { + "command": + { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": + { + "args": + [ + "count", + " " + ], + "name": "seriestitle" + } + } + ] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + } + } + ] + } + ], + "default_dashboard_id": 1, + "global_id": "06d48444d70f4cba8aaa343e518e484a" + } + ], + "widgets_data": + [ + { + "widget_key": "xql_1687700757907", + "title": "Chrome Security Events by Type", + "creation_time": 1687700757907, + "description": "This widget displays chrome events by their type.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.event.type) as counts by xdm.event.type\n| view graph type = pie header = \"Security Events by Type\" xaxis = xdm.event.type yaxis = counts ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Type\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.event.type" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687768232236", + "title": "Chrome Top URL Access", + "creation_time": 1687768232236, + "description": "This widget displays top url addresses visited by chrome users.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| alter domain = arrayindex(regextract(xdm.network.http.url, \"\\/\\/([^\\/:]+)\"),0)\n| filter domain != null\n| comp count(domain) as counts by domain\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Top URL Access\" show_callouts = `true` xaxis = domain yaxis = counts legend = `false` ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Top URL Access\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "domain" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "legend", + "value": "false" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687769524281", + "title": "Security Events by Chrome Users", + "creation_time": 1687769524281, + "description": "This widget displays security chrome events by chrome users.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.intermediate.user.username) as counts by xdm.intermediate.user.username\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Security Events by Chrome Users\" xaxis = xdm.intermediate.user.username yaxis = counts default_limit = `false` ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Chrome Users\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.intermediate.user.username" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "default_limit", + "value": "false" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687769763268", + "title": "Chrome Top Security event Actions", + "creation_time": 1687769763268, + "description": "This widget displays top security events by action.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.observer.action) by xdm.observer.action\n| view graph type = funnel header = \"Top Security event Actions\" show_callouts = `true` show_callouts_names = `true` xaxis = xdm.observer.action yaxis = count_1 ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "funnel", + "commands": + [ + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Top Security event Actions\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.observer.action" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count_1" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687770114700", + "title": "Chrome Device Username and Device Name Mapping", + "creation_time": 1687770114700, + "description": "This widget displays device users by their related device names.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.source.user.username != \"\"\n| filter xdm.source.user.username != \"-\"\n| comp values(xdm.source.user.username) as `DEVICE_USER` by xdm.source.host.hostname\n| filter DEVICE_USER != null", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "table", + "commands": + [] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687770576993", + "title": "Top Chrome Extension", + "creation_time": 1687770576993, + "description": "This widget displays top extension installations", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type = \"BROWSER_EXTENSION_INSTALL\"\n| fields xdm.target.resource.name\n| top xdm.target.resource.name top_count as COUNTS \n| sort desc COUNTS", + "time_frame": + { + "relativeTime": 2592000000 + }, + "viewOptions": + { + "type": "table", + "commands": + [] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687770699313", + "title": "Chrome Security Events by Reason", + "creation_time": 1687770699313, + "description": "This widget displays chrome security events by their reason.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.event.description) as Security_Events by xdm.event.description\n| view graph type = column subtype = grouped header = \"Security Events by Reason\" show_callouts = `true` xaxis = xdm.event.description yaxis = Security_Events ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Reason\"" + } + }, + { + "command": + { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.event.description" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "Security_Events" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687774186800", + "title": "Chrome Unique Users with Security Events", + "creation_time": 1687774186800, + "description": "This widget displays the unique users that triggered security events.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\"\n| comp count_distinct(xdm.source.user.username) as distinct_count\n| view graph type = single subtype = standard header = \"Unique Users with Security Events\" yaxis = distinct_count ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "single", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Unique Users with Security Events\"" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "distinct_count" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687774861843", + "title": "Chrome Unique OS with Security Events", + "creation_time": 1687774861843, + "description": "This widget displays the unique OS which had chrome security events.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\"\n| comp count_distinct(xdm.source.host.os) as distinct_count\n| view graph type = single subtype = standard header = \"Unique OSes with Security Events\" yaxis = distinct_count ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "single", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Unique OSes with Security Events\"" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "distinct_count" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687775123677", + "title": "Chrome Top OS Platforms with Security Events", + "creation_time": 1687775123677, + "description": "This widget displays top os platforms which had chrome security events.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| filter xdm.event.type != \"\" and xdm.source.host.os != \"\"\n| top xdm.source.host.os top_count as `COUNT`\n| view graph type = pie xaxis = xdm.source.host.os yaxis = count legend_percentage = `true` seriestitle(\"count\",\" \") ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.source.host.os" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + }, + { + "command": + { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": + { + "args": + [ + "count", + " " + ], + "name": "seriestitle" + } + } + ] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687775796667", + "title": "Security Events by Chrome Device Users", + "creation_time": 1687775796667, + "description": "This widget displays chrome security events by device users.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n| comp count(xdm.source.user.username) as counts by xdm.source.user.username\n| sort desc counts\n| view graph type = column subtype = grouped layout = horizontal header = \"Security Events by Device Users\" xaxis = xdm.source.user.username yaxis = counts default_limit = `false` ", + "time_frame": + { + "relativeTime": 604800000 + }, + "viewOptions": + { + "type": "column", + "commands": + [ + { + "command": + { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": + { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": + { + "op": "=", + "name": "header", + "value": "\"Security Events by Device Users\"" + } + }, + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.source.user.username" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "counts" + } + }, + { + "command": + { + "op": "=", + "name": "default_limit", + "value": "false" + } + } + ] + }, + "gridRawStorageInfo": + { + "sort": null, + "coldefs": + {}, + "rowHeight": "{\"rowHeight\":\"regular\",\"gridRowsHeight\":\"medium-row\"}", + "columnWidth": null + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687778986988", + "title": "Events by Chrome Browser", + "creation_time": 1687778986988, + "description": "This widget displays chrome security events by the browser they were triggered from.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n|filter xdm.event.type != \"\" and xdm.network.http.browser != \"\"\n| top xdm.network.http.browser top_count as `COUNT`\n| view graph type = pie xaxis = xdm.network.http.browser yaxis = count legend_percentage = `true` seriestitle(\"count\",\" \") ", + "time_frame": + { + "relativeTime": 86400000 + }, + "viewOptions": + { + "type": "pie", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "xdm.network.http.browser" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + }, + { + "command": + { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": + { + "args": + [ + "count", + " " + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + }, + { + "widget_key": "xql_1687779507172", + "title": "Chrome Events over Time", + "creation_time": 1687779507172, + "description": "This widget displays chrome security events' trend.", + "data": + { + "phrase": "datamodel dataset = google_workspace_chrome_raw \n//| filter xdm.observer.vendor = \"Google\" and xdm.observer.product = \"Workspace Chrome\"\n|filter xdm.event.type != \"\"\n| bin _time span = 24h\n| comp count() as count by _time\n| sort asc _time\n| view graph type = line xaxis = _time yaxis = count ", + "time_frame": + { + "relativeTime": 604800000 + }, + "viewOptions": + { + "type": "line", + "commands": + [ + { + "command": + { + "op": "=", + "name": "xaxis", + "value": "_time" + } + }, + { + "command": + { + "op": "=", + "name": "yaxis", + "value": "count" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": + { + "query_tables": + [], + "query_uses_library": false + } + } + ], + "fromVersion": "8.4.0" +} \ No newline at end of file diff --git a/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard_image.png b/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard_image.png new file mode 100644 index 000000000000..cc6f6179517a Binary files /dev/null and b/Packs/GoogleChrome/XSIAMDashboards/GoogleChrome_Dashboard_image.png differ diff --git a/Packs/GoogleChrome/pack_metadata.json b/Packs/GoogleChrome/pack_metadata.json new file mode 100644 index 000000000000..dd801085da6c --- /dev/null +++ b/Packs/GoogleChrome/pack_metadata.json @@ -0,0 +1,18 @@ +{ + "name": "Google Chrome", + "description": "The official browser from Google. Chrome is a cross-platform web browser which brings you the best of Google.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Analytics & SIEM" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file