Skip to content

feat(entries): Google Workspace platform — 3 companion-only pairs#21

Merged
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

feat(entries): Google Workspace platform — 3 companion-only pairs#21
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Google Workspace

Rounds out the identity/SaaS-admin coverage alongside Entra and Okta, hitting real BEC/consent-phish tradecraft. Detections over the Google Workspace admin/token/user audit logs (product: google_workspace, field eventName). Three companion-only red↔blue pairs, distinct tactics:

Attack (red) Detection (blue) ATT&CK
gws-oauth-grant — consent-phish a malicious OAuth app into Gmail/Drive scopes gws-oauth-audit — token authorize T1528 (Credential Access)
gws-super-admin — promote a controlled user to super admin gws-admin-auditGRANT_DELEGATED_ADMIN_PRIVILEGES / ASSIGN_ROLE T1098.003 (Persistence)
gws-mail-forward — external auto-forwarding for BEC exfil gws-mail-forward-auditemail_forwarding_out_of_domain T1114.003 (Collection)

Red side is the Admin SDK / Gmail API (curl); blue side is Workspace audit SPL.

Verification

  • ./gen-views.sh --check — clean (companion-only)
  • Pairing graph — all 59 pairs back-reference bidirectionally (only smb-enum-nxc unpaired)
  • README corpus intro/table + platform list updated (59 paired + 1 unpaired; added Collection to the tactic span); CHANGELOG [Unreleased] updated

🤖 Generated with Claude Code


Generated by Claude Code

Detections over the Google Workspace admin/token/user audit logs
(product: google_workspace, field eventName). Three companion-only red↔blue pairs:

- gws-oauth-grant ↔ gws-oauth-audit: consent-phish a malicious OAuth app into
  Gmail/Drive scopes; detect token authorize (T1528).
- gws-super-admin ↔ gws-admin-audit: promote a controlled user to super admin;
  detect GRANT_DELEGATED_ADMIN_PRIVILEGES / ASSIGN_ROLE (T1098.003).
- gws-mail-forward ↔ gws-mail-forward-audit: external auto-forwarding for BEC exfil;
  detect email_forwarding_out_of_domain (T1114.003).

Red side is the Admin SDK / Gmail API (curl); blue side is Workspace audit SPL.
Corpus is now 59 paired concepts + 1 unpaired recon entry.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Google Workspace coverage to the htpx red↔blue companion corpus, introducing three new companion-only attack/detection pairs (OAuth consent grant, super-admin role grant, external mail forwarding) and updating the public-facing corpus summary/changelog accordingly.

Changes:

  • Add 3 new Google Workspace red entries covering common tenant-compromise tradecraft (OAuth grant, admin role escalation, mail forwarding).
  • Add 3 paired blue entries with Splunk SPL over Google Workspace audit logs (token/admin/user).
  • Update README corpus summary/table and CHANGELOG to reflect the new platform and updated paired-entry count.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
README.md Updates corpus count/tactic span and adds three Workspace rows to the summary table.
CHANGELOG.md Documents the new Google Workspace platform pairs under [Unreleased] and updates corpus count.
entries/red/gws-oauth-grant.md New red entry: malicious OAuth grant (consent phish) tradecraft.
entries/blue/gws-oauth-audit.md New blue entry: SPL for token audit eventName=authorize.
entries/red/gws-super-admin.md New red entry: promote user to super admin via Admin SDK.
entries/blue/gws-admin-audit.md New blue entry: SPL for admin audit role-grant events.
entries/red/gws-mail-forward.md New red entry: configure external auto-forwarding via Gmail API.
entries/blue/gws-mail-forward-audit.md New blue entry: SPL for out-of-domain forwarding audit events.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread entries/blue/gws-oauth-audit.md
Comment thread entries/blue/gws-mail-forward-audit.md
Comment thread entries/blue/gws-admin-audit.md
The Google Workspace blue entries span admin/token/user audit logs, so the narrow
`detection: gws-admin-log` label mislabeled the token/user ones. Use the
platform-wide `gws-audit-log` across all three.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
@Gerrrt Gerrrt merged commit fcbe14a into main Jul 2, 2026
1 check passed
@Gerrrt Gerrrt deleted the claude/dotfiles-round-7-github-b8nut0 branch July 2, 2026 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants