Chrome - User Phished and/or Password Re-use/Breach event
This rule alerts on events related to bad navigation via social engineering or password reuse/breach, that resulted in bypass action.
Google Chrome MEDIUM INFILTRATION
Details
| ID | 5e5feef6-08b3-482d-940f-9303ac6bee2d |
|---|---|
| From Version | 8.4.0 |
| Execution Mode | REAL_TIME |
| Dataset | alerts |
MITRE ATT&CK
-
TA0001 - Initial Access
- T1566 - Phishing
- T1078 - Valid Accounts
XQL Query
datamodel dataset = google_workspace_chrome_raw
| filter (xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED" and xdm.event.description contains "SOCIAL_ENGINEERING") or (xdm.event.type in ("PASSWORD_BREACH", "PASSWORD_REUSE"))
| fields xdm.event.type, xdm.event.description, xdm.observer.action, xdm.event.outcome_reason, xdm.source.user.username, xdm.intermediate.user.username, xdm.source.host.hostname, xdm.source.host.os, xdm.source.host.os_family, xdm.network.http.browser, xdm.network.http.url, xdm.source.user_agent, xdm.target.file.filename, xdm.target.file.size
Investigation Query
datamodel dataset = google_workspace_chrome_raw
| filter (xdm.event.type in ("UNSAFE_SITE_VISIT") and xdm.observer.action = "BYPASSED" and xdm.event.description contains "SOCIAL_ENGINEERING") or (xdm.event.type in ("PASSWORD_BREACH", "PASSWORD_REUSE"))
| filter xdm.source.user.username = $xdm.source.user.username and xdm.intermediate.user.username = $xdm.intermediate.user.username and xdm.source.host.hostname = $xdm.source.host.hostname