-
Notifications
You must be signed in to change notification settings - Fork 2
/
mondoo-googleworkplace-incident-response.mql.yaml
85 lines (77 loc) · 4.86 KB
/
mondoo-googleworkplace-incident-response.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
packs:
- uid: mondoo-googleworkspace-incident-response
name: Google Workspace Incident Response Pack
version: 1.1.0
license: BUSL-1.1
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: google-workspace,saas
mondoo.com/category: security
docs:
desc: |
### Overview
The Google Workspace Incident Response query pack retrieves configuration data about your Google Workspace configuration during a security incident.
### Prerequisites
1. Create/Select a GCP project
2. Navigate to the [Google API Console](https://console.cloud.google.com/apis/dashboard).
3. Select "Enable APIs and Services" and enable the following APIs:
- Admin SDK API
- Cloud Identity API
- Google Calendar API
- Google Drive API
- Gmail API
- Google People API
4. Create a service account for [Google Workspace](https://support.google.com/a/answer/7378726?product_name=UnuFlow&hl=en&visit_id=638041387835615758-4147680582&rd=1&src=supportwidget0&hl=en)
5. Create credentials for the service account and download the json file
6. Enter the following scopes in Security -> Access and data controls -> API controls, and select [Domain-wide Delegation](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account)
- https://www.googleapis.com/auth/admin.chrome.printers.readonly
- https://www.googleapis.com/auth/admin.directory.customer.readonly
- https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
- https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
- https://www.googleapis.com/auth/admin.directory.domain.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.orgunit.readonly
- https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
- https://www.googleapis.com/auth/admin.directory.user.alias.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.userschema.readonly
- https://www.googleapis.com/auth/admin.reports.audit.readonly
- https://www.googleapis.com/auth/admin.reports.usage.readonly
- https://www.googleapis.com/auth/admin.directory.user.security
- https://www.googleapis.com/auth/cloud-identity.groups.readonly
### Run query pack
To run this query pack against a Google Workspace customer:
```bash
export GOOGLEWORKSPACE_CREDENTIALS=$PWD/my-project-123456-1234ea722b12.json
cnquery scan google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
```
filters:
- asset.platform == "googleworkspace" || asset.platform == "google-workspace"
queries:
- uid: mondoo-googleworkspace-incident-response-domain
title: Google Workspace domains
mql: googleworkspace.domains { domainName isPrimary verified }
- uid: mondoo-googleworkspace-incident-response-user-mfa-status
title: Google Workspace users' MFA status
mql: googleworkspace.users { primaryEmail isEnforcedIn2Sv }
- uid: mondoo-googleworkspace-incident-response-super-admins
title: Google Workspace super admins
mql: googleworkspace.report.users.where( security["isSuperAdmin"] == true) { userEmail }
- uid: mondoo-googleworkspace-incident-response-super-admins-without-2FA-enrolled
title: Google Workspace super admins who are not enrolled in 2FA
mql: googleworkspace.users.where(isEnrolledIn2Sv != true && isAdmin == true) {primaryEmail isEnrolledIn2Sv isAdmin}
- uid: mondoo-googleworkspace-incident-response-users-without-2FA-enrolled
title: Google Workspace user accounts that are not enrolled in 2FA
mql: googleworkspace.users.where(isEnrolledIn2Sv != true) {primaryEmail isEnrolledIn2Sv isAdmin}
- uid: mondoo-googleworkspace-incident-response-super-admins-without-hardware-based-2fa
title: Super admin accounts that do not use hardware-based security keys
mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true && security["numSecurityKeys"] <= 0 ) {account['adminSetName'] security['numSecurityKeys']}
- uid: mondoo-googleworkspace-incident-response-config-drift-recovery-email
title: Primary and recovery email accounts of all Google Workspace users
mql: googleworkspace.users {primaryEmail recoveryEmail}