Chrome - User Phished and/or Password Re-use/Breach event

This rule alerts on events related to bad navigation via social engineering or password reuse/breach, that resulted in bypass action.

Google Chrome MEDIUM INFILTRATION

Details

ID5e5feef6-08b3-482d-940f-9303ac6bee2d
From Version8.4.0
Execution ModeREAL_TIME
Datasetalerts

MITRE ATT&CK

  • TA0001 - Initial Access
    • T1566 - Phishing
    • T1078 - Valid Accounts

XQL Query

datamodel dataset = google_workspace_chrome_raw 
| filter (xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED" and xdm.event.description contains "SOCIAL_ENGINEERING") or (xdm.event.type in ("PASSWORD_BREACH", "PASSWORD_REUSE"))
| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url, xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size

Investigation Query

datamodel dataset = google_workspace_chrome_raw 
| filter (xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED" and xdm.event.description contains "SOCIAL_ENGINEERING") or (xdm.event.type in ("PASSWORD_BREACH", "PASSWORD_REUSE"))
| filter xdm.source.user.username = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.source.host.hostname = $xdm.source.host.hostname