feat(entries): Google Workspace platform — 3 companion-only pairs#21
Merged
Conversation
Detections over the Google Workspace admin/token/user audit logs (product: google_workspace, field eventName). Three companion-only red↔blue pairs: - gws-oauth-grant ↔ gws-oauth-audit: consent-phish a malicious OAuth app into Gmail/Drive scopes; detect token authorize (T1528). - gws-super-admin ↔ gws-admin-audit: promote a controlled user to super admin; detect GRANT_DELEGATED_ADMIN_PRIVILEGES / ASSIGN_ROLE (T1098.003). - gws-mail-forward ↔ gws-mail-forward-audit: external auto-forwarding for BEC exfil; detect email_forwarding_out_of_domain (T1114.003). Red side is the Admin SDK / Gmail API (curl); blue side is Workspace audit SPL. Corpus is now 59 paired concepts + 1 unpaired recon entry. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
There was a problem hiding this comment.
Pull request overview
Adds Google Workspace coverage to the htpx red↔blue companion corpus, introducing three new companion-only attack/detection pairs (OAuth consent grant, super-admin role grant, external mail forwarding) and updating the public-facing corpus summary/changelog accordingly.
Changes:
- Add 3 new Google Workspace red entries covering common tenant-compromise tradecraft (OAuth grant, admin role escalation, mail forwarding).
- Add 3 paired blue entries with Splunk SPL over Google Workspace audit logs (token/admin/user).
- Update README corpus summary/table and CHANGELOG to reflect the new platform and updated paired-entry count.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates corpus count/tactic span and adds three Workspace rows to the summary table. |
| CHANGELOG.md | Documents the new Google Workspace platform pairs under [Unreleased] and updates corpus count. |
| entries/red/gws-oauth-grant.md | New red entry: malicious OAuth grant (consent phish) tradecraft. |
| entries/blue/gws-oauth-audit.md | New blue entry: SPL for token audit eventName=authorize. |
| entries/red/gws-super-admin.md | New red entry: promote user to super admin via Admin SDK. |
| entries/blue/gws-admin-audit.md | New blue entry: SPL for admin audit role-grant events. |
| entries/red/gws-mail-forward.md | New red entry: configure external auto-forwarding via Gmail API. |
| entries/blue/gws-mail-forward-audit.md | New blue entry: SPL for out-of-domain forwarding audit events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The Google Workspace blue entries span admin/token/user audit logs, so the narrow `detection: gws-admin-log` label mislabeled the token/user ones. Use the platform-wide `gws-audit-log` across all three. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Google Workspace
Rounds out the identity/SaaS-admin coverage alongside Entra and Okta, hitting real BEC/consent-phish tradecraft. Detections over the Google Workspace admin/token/user audit logs (
product: google_workspace, fieldeventName). Three companion-only red↔blue pairs, distinct tactics:gws-oauth-grant— consent-phish a malicious OAuth app into Gmail/Drive scopesgws-oauth-audit— tokenauthorizegws-super-admin— promote a controlled user to super admingws-admin-audit—GRANT_DELEGATED_ADMIN_PRIVILEGES/ASSIGN_ROLEgws-mail-forward— external auto-forwarding for BEC exfilgws-mail-forward-audit—email_forwarding_out_of_domainRed side is the Admin SDK / Gmail API (
curl); blue side is Workspace audit SPL.Verification
./gen-views.sh --check— clean (companion-only)smb-enum-nxcunpaired)[Unreleased]updated🤖 Generated with Claude Code
Generated by Claude Code