From 34ffc69e68ca7786decdbf6f12c6fc143666a49f Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:21:13 -0800 Subject: [PATCH 01/10] Remove Retrieve from more query names This makes this display better in the data queries tab Signed-off-by: Tim Smith --- core/mondoo-gcp-inventory.mql.yaml | 24 ++++++------- ...ndoo-kubernetes-incident-response.mql.yaml | 34 +++++++++---------- core/mondoo-linux-incident-response.mql.yaml | 18 +++++----- core/mondoo-macos-incident-response.mql.yaml | 22 ++++++------ .../mondoo-openssl-incident-response.mql.yaml | 6 ++-- core/mondoo-vmware-incident-response.mql.yaml | 10 +++--- extra/mondoo-asset-count.mql.yaml | 6 ++-- ...googleworkplace-incident-response.mql.yaml | 14 ++++---- extra/mondoo-okta-incident-response.mql.yaml | 4 +-- 9 files changed, 69 insertions(+), 69 deletions(-) diff --git a/core/mondoo-gcp-inventory.mql.yaml b/core/mondoo-gcp-inventory.mql.yaml index 087f249..55dcd97 100644 --- a/core/mondoo-gcp-inventory.mql.yaml +++ b/core/mondoo-gcp-inventory.mql.yaml @@ -19,7 +19,7 @@ packs: - asset.platform == "gcp" || asset.platform == "gcp-project" queries: - uid: mondoo-asset-inventory-gcp-project-info - title: Retrieve GCP Project Information + title: GCP Project Information mql: | gcp.project { name @@ -29,68 +29,68 @@ packs: labels } - uid: mondoo-asset-inventory-gcp-project-owners - title: Retrieve data for all owners of the GCP project + title: GCP project owners docs: desc: | This query retrieves data for all owners of the GCP project mql: gcp.project.iamPolicy.where( role == "roles/owner" ) - uid: mondoo-asset-inventory-gcp-project-editors - title: Retrieve data for all editors of the GCP project + title: GCP project editors docs: desc: | This query retrieves data for all editors of the GCP project mql: gcp.project.iamPolicy.where( role == "roles/editors" ) - uid: mondoo-asset-inventory-gcp-iam-roles - title: Retrieve all IAM Policy roles for the GCP project + title: IAM Policy roles docs: desc: | This query retrieves all roles defined for a GCP project mql: gcp.project.iamPolicy { role } - uid: mondoo-asset-inventory-gcp-enabled-services - title: Retrieve all services enabled in the GCP project + title: Services enabled in the GCP project docs: desc: | This query retrieves all services enabled in the GCP Project mql: gcp.project.services.where( enabled == true ) - uid: mondoo-asset-inventory-gcp-gke-clusters-count - title: Retrieve count of GKE clusters in a GCP project + title: GKE clusters count docs: desc: | This query retrieves a count of GKE clusters running in a GCP project mql: gcp.project.gke.clusters.length - uid: mondoo-asset-inventory-gcp-gke-clusters-data - title: Retrieve data on GKE clusters + title: GKE clusters configuration docs: desc: | This query retrieves all of the configuration data for GKE clusters within a project mql: gcp.project.gke.clusters - uid: mondoo-asset-inventory-gcp-compute-instances-count - title: Retrieve a count of GCP compute instances in a GCP project + title: GCP compute instances count docs: desc: | This query retrieves a count of running GCP compute instances in a GCP project mql: gcp.compute.instances.where( status == "RUNNING" ).length - uid: mondoo-asset-inventory-gcp-compute-instances-data - title: Retrieve data from all running GCP compute instances in a GCP project + title: GCP compute instances docs: desc: | This query retrieves the data for all running GCP compute instances in a GCP project mql: gcp.compute.instances.where( status == "RUNNING" ) - uid: mondoo-asset-inventory-gcp-compute-instances-public - title: Retrieve data on public GCP Compute Engine instances + title: GCP Compute Engine instances docs: desc: | This query retrieves the data for all GCP Compute Engine instances that have been configured with an external IP address. mql: | gcp.compute.instances.where( networkInterfaces[0]['accessConfigs'][0]['name'] == "External NAT" ) - uid: mondoo-asset-inventory-gcp-compute-networks-count - title: Retrieve a count of GCP Compute Engine networks in a GCP project + title: GCP Compute Engine networks count docs: desc: | This query retrieves a count of GCP Compute Engine networks configured in a GCP project mql: gcp.compute.networks.length - uid: mondoo-asset-inventory-gcp-compute-networks-data - title: Retrieve data for all GCP Compute Engine networks in a GCP project + title: GCP Compute Engine networks docs: desc: | This query retrieves the data for all GCP Compute Engine networks configured in a GCP project. diff --git a/core/mondoo-kubernetes-incident-response.mql.yaml b/core/mondoo-kubernetes-incident-response.mql.yaml index c18f6d4..ea94662 100644 --- a/core/mondoo-kubernetes-incident-response.mql.yaml +++ b/core/mondoo-kubernetes-incident-response.mql.yaml @@ -18,11 +18,11 @@ packs: - asset.platform == "kubernetes" || asset.platform == "k8s-cluster" queries: - uid: mondoo-kubernetes-incident-response-cluster-version - title: Retrieve Kubernetes Cluster Version + title: Kubernetes Cluster Version mql: | k8s.serverVersion - uid: mondoo-kubernetes-incident-response-role-bindings-with-cluster-admin-permissions - title: Retrieve role bindings with cluster-admin permissions + title: Role bindings with cluster-admin permissions mql: | k8s.rolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") { name @@ -31,7 +31,7 @@ packs: roleRef } - uid: mondoo-kubernetes-incident-response-clusterrole-bindings-with-cluster-admin-permissions - title: Retrieve ClusterRoleBindings with cluster-admin permissions + title: ClusterRoleBindings with cluster-admin permissions mql: | k8s.clusterrolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") { name @@ -43,7 +43,7 @@ packs: - asset.platform == "k8s-pod" queries: - uid: mondoo-kubernetes-incident-response-pod-security-context - title: Retrieve Pod Security Context + title: Pod Security Context mql: | k8s.pod { ephemeralContainers { @@ -57,7 +57,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-pod-container - title: Retrieve container image information + title: Container image information mql: | k8s.pod { name @@ -105,7 +105,7 @@ packs: - asset.platform == "k8s-deployment" queries: - uid: mondoo-kubernetes-incident-response-deployment-security-context - title: Retrieve Deployment Security Context + title: Deployment Security Context mql: | k8s.deployment { initContainers { @@ -116,7 +116,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-deployment-container - title: Retrieve container image information + title: Container image information mql: | k8s.deployment { name @@ -151,7 +151,7 @@ packs: - asset.platform == "k8s-cronjob" queries: - uid: mondoo-kubernetes-incident-response-cronjob-security-context - title: Retrieve CronJob Security Context + title: CronJob Security Context mql: | k8s.cronjob { initContainers { @@ -162,7 +162,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-cronjob-container - title: Retrieve container image information + title: Container image information mql: | k8s.cronjob { name @@ -197,7 +197,7 @@ packs: - asset.platform == "k8s-job" queries: - uid: mondoo-kubernetes-incident-response-job-security-context - title: Retrieve Job Security Context + title: Job Security Context mql: | k8s.job { initContainers { @@ -208,7 +208,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-job-container - title: Retrieve container image information + title: Container image information mql: | k8s.job { name @@ -243,7 +243,7 @@ packs: - asset.platform == "k8s-daemonset" queries: - uid: mondoo-kubernetes-incident-response-daemonset-security-context - title: Retrieve DaemonSet Security Context + title: DaemonSet Security Context mql: | k8s.daemonset { initContainers { @@ -254,7 +254,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-daemonset-container - title: Retrieve container image information + title: Container image information mql: | k8s.daemonset { name @@ -289,7 +289,7 @@ packs: - asset.platform == "k8s-statefulset" queries: - uid: mondoo-kubernetes-incident-response-statefulset-security-context - title: Retrieve StatefulSet Security Context + title: StatefulSet Security Context mql: | k8s.statefulset { initContainers { @@ -300,7 +300,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-statefulset-container - title: Retrieve container image information + title: Container image information mql: | k8s.statefulset { name @@ -335,7 +335,7 @@ packs: - asset.platform == "k8s-replicaset" queries: - uid: mondoo-kubernetes-incident-response-replicaset-security-context - title: Retrieve ReplicaSet Security Context + title: ReplicaSet Security Context mql: | k8s.replicaset { initContainers { @@ -346,7 +346,7 @@ packs: } } - uid: mondoo-kubernetes-incident-response-replicaset-container - title: Retrieve container image information + title: Container image information mql: | k8s.replicaset { name diff --git a/core/mondoo-linux-incident-response.mql.yaml b/core/mondoo-linux-incident-response.mql.yaml index bf6bbd0..cc74d65 100644 --- a/core/mondoo-linux-incident-response.mql.yaml +++ b/core/mondoo-linux-incident-response.mql.yaml @@ -16,34 +16,34 @@ packs: - asset.family.contains("linux") queries: - uid: mondoo-linux-incident-response-installed-kernel - title: Retrieve installed Linux kernels + title: Installed Linux kernels filters: mondoo.capabilities.contains("run-command") mql: kernel.installed - uid: mondoo-linux-kernel-info - title: Retrieve the running Linux kernel + title: Running Linux kernel filters: mondoo.capabilities.contains("run-command") mql: kernel.info - uid: mondoo-linux-kernel-modules - title: Retrieve Linux kernel modules + title: Linux kernel modules mql: kernel.modules { name loaded } - uid: mondoo-linux-incident-response-processes - title: Retrieve running processes + title: Running processes filters: mondoo.capabilities.contains("run-command") mql: processes { pid command } - uid: mondoo-linux-mounts - title: Retrieve mounted devices + title: Mounted devices mql: mount.list { path fstype device options } - uid: mondoo-linux-listening-ports - title: Retrieve all listening ports + title: All listening ports filters: mondoo.capabilities.contains("run-command") mql: ports.listening - uid: mondoo-linux-uptime - title: Retrieve operating system uptime + title: Operating system uptime filters: mondoo.capabilities.contains("run-command") mql: os.uptime - uid: mondoo-linux-installed-packages - title: Retrieve installed packages + title: Installed packages mql: packages { name version arch installed } - uid: mondoo-linux-running-services - title: Retrieve running services + title: Running services mql: services { name running enabled masked type } diff --git a/core/mondoo-macos-incident-response.mql.yaml b/core/mondoo-macos-incident-response.mql.yaml index 3127999..dde3472 100644 --- a/core/mondoo-macos-incident-response.mql.yaml +++ b/core/mondoo-macos-incident-response.mql.yaml @@ -16,35 +16,35 @@ packs: - asset.platform == "macos" queries: - uid: mondoo-macos-incident-response-platform-info - title: Retrieve platform information + title: Platform information mql: asset { platform title version arch } - uid: mondoo-macos-incident-response-regular-users - title: Retrieve regular users + title: Regular users mql: users.where( name != /^_/ && shell != /\/usr\/bin\/false/ ) - uid: mondoo-macos-incident-response-kernel-info - title: Retrieve the running macOS kernel + title: Running macOS kernel mql: kernel.info["version"] - uid: mondoo-macos-incident-response-kernel-modules - title: Retrieve macOS kernel modules + title: macOS kernel modules mql: kernel.modules { name loaded } - uid: mondoo-macos-incident-response-processes - title: Retrieve running processes + title: Running processes mql: processes.list { pid command } - uid: mondoo-macos-incident-response-mounts - title: Retrieve mounted devices + title: Mounted devices mql: mount.list - uid: mondoo-macos-incident-response-uptime - title: Retrieve operating system uptime + title: Operating system uptime mql: os.uptime - uid: mondoo-macos-incident-response-installed-packages - title: Retrieve installed packages + title: Installed packages mql: packages - uid: mondoo-macos-incident-response-running-services - title: Retrieve running services + title: Running services mql: services - uid: mondoo-macos-incident-response-alf-extensions - title: Retrieve exceptions from the Application Layer Firewall + title: Exceptions from the Application Layer Firewall mql: macos.alf.exceptions - uid: mondoo-macos-incident-response-check-recommended-updates - title: Retrieve any recommended updates + title: Recommended OS and application updates mql: parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').params['RecommendedUpdates'] diff --git a/core/mondoo-openssl-incident-response.mql.yaml b/core/mondoo-openssl-incident-response.mql.yaml index 422619e..6568a94 100644 --- a/core/mondoo-openssl-incident-response.mql.yaml +++ b/core/mondoo-openssl-incident-response.mql.yaml @@ -16,7 +16,7 @@ packs: - asset.family.contains("linux") queries: - uid: mondoo-openssl-incident-response-platform - title: Retrieve platform details + title: Platform details mql: | asset { platform @@ -24,10 +24,10 @@ packs: arch } - uid: mondoo-openssl-incident-response-installed-version - title: Retrieve installed ssl libraries + title: Installed ssl libraries mql: packages.where(name == /ssl/) - uid: mondoo-openssl-incident-response-listening-ports - title: Retrieve listening ports from running systems + title: Listening ports from running systems mql: | if ( mondoo.capabilities.contains('run-command') ) { ports.listening { diff --git a/core/mondoo-vmware-incident-response.mql.yaml b/core/mondoo-vmware-incident-response.mql.yaml index 7ef25c4..dd784c3 100644 --- a/core/mondoo-vmware-incident-response.mql.yaml +++ b/core/mondoo-vmware-incident-response.mql.yaml @@ -35,13 +35,13 @@ packs: - asset.platform == "vmware-esxi" queries: - uid: mondoo-vmware-incident-response-kernel-modules - title: Retrieve kernel modules + title: Kernel modules mql: vsphere.host.kernelModules - uid: mondoo-vmware-incident-response-installed-packages - title: Retrieve installed packages + title: Installed packages mql: vsphere.host.packages - uid: mondoo-vmware-incident-response-running-services - title: Retrieve all services + title: All services mql: vsphere.host.services refs: - title: VMSA-2021-0002 @@ -49,7 +49,7 @@ packs: - title: How to Disable/Enable the SLP Service on VMware ESXi (76372) url: https://kb.vmware.com/s/article/76372 - uid: mondoo-vmware-incident-response-acceptance-level - title: Retrieve host acceptance level + title: Host acceptance level docs: desc: The host acceptance level determines which VIBs can be installed on a host. mql: vsphere.host.acceptanceLevel @@ -57,5 +57,5 @@ packs: - title: url: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.upgrade.doc/GUID-27BBBAB8-01EA-4238-8140-1C3C3EFC0AA6.html - uid: mondoo-vmware-incident-response-ntp-servers - title: Retrieve all configured NTP servers + title: Configured NTP servers mql: vsphere.host.ntp.server diff --git a/extra/mondoo-asset-count.mql.yaml b/extra/mondoo-asset-count.mql.yaml index 212d34e..8b49bc6 100644 --- a/extra/mondoo-asset-count.mql.yaml +++ b/extra/mondoo-asset-count.mql.yaml @@ -94,12 +94,12 @@ packs: - uid: mondoo-asset-count-gitlab-group-projects queries: - uid: mondoo-asset-count-on-vsphere-cluster-esxi - title: Retrieve all ESXi hosts + title: ESXi hosts mql: | vsphere.datacenters { hosts.length } - uid: mondoo-asset-count-on-vsphere-cluster-vms - title: Retrieve all VMs from vSphere cluster + title: VMs from vSphere cluster mql: | vsphere.datacenters { vms.length } @@ -268,7 +268,7 @@ queries: mql: aws.sns.topics.length - uid: mondoo-asset-count-in-windows-domain - title: Retrieve all computer object from the Windows domain + title: All computer object from the Windows domain mql: | parse.json(content: powershell('$time = (Get-Date).Adddays(-(180));Get-ADComputer -Filter {LastLogonTimeStamp -ge $time} -properties * | select Name,Enabled,OperatingSystem,OperatingSystemVersion,LastLogonDate | ConvertTo-Json').stdout).params diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index e0a39cf..bb84183 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -63,23 +63,23 @@ packs: - asset.platform == "googleworkspace" || asset.platform == "google-workspace" queries: - uid: mondoo-googleworkspace-incident-response-domain - title: Retrieve Google Workspace Domains + title: Google Workspace Domains mql: googleworkspace.domains { domainName isPrimary verified } - uid: mondoo-googleworkspace-incident-response-user-mfa-status - title: Retrieve Google Workspace Users MFA status + title: Google Workspace Users MFA status mql: googleworkspace.users { primaryEmail isEnforcedIn2Sv } - uid: mondoo-googleworkspace-incident-response-super-admins - title: Retrieve Google Workspace Super Admins + title: Google Workspace Super Admins mql: googleworkspace.report.users.where( security["isSuperAdmin"] == true) { userEmail } - uid: mondoo-googleworkspace-incident-response-super-admins-without-2FA-enrolled - title: Retrieve Google Workspace Super Admins who are not enrolled in 2FA + title: Google Workspace Super Admins who are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true && isAdmin == true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-users-without-2FA-enrolled - title: Retrieve Google Workspace User accounts which are not enrolled in 2FA + title: Google Workspace User accounts which are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-super-admins-without-hardware-based-2fa - title: Retrieve all Super Admin accounts which do not employ hardware based security keys + title: Super Admin accounts which do not employ hardware based security keys mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true && security["numSecurityKeys"] <= 0 ) {account['adminSetName'] security['numSecurityKeys']} - uid: mondoo-googleworkspace-incident-response-config-drift-recovery-email - title: Retrieve primary and recovery email accounts of all Google Workspace users + title: Primary and recovery email accounts of all Google Workspace users mql: googleworkspace.users {primaryEmail recoveryEmail} diff --git a/extra/mondoo-okta-incident-response.mql.yaml b/extra/mondoo-okta-incident-response.mql.yaml index 40754fc..4675470 100644 --- a/extra/mondoo-okta-incident-response.mql.yaml +++ b/extra/mondoo-okta-incident-response.mql.yaml @@ -37,8 +37,8 @@ packs: - asset.platform == "okta" || asset.platform == "okta-org" queries: - uid: mondoo-okta-incident-response-users - title: Retrieve Users + title: Users mql: okta.users - uid: mondoo-okta-incident-response-team-id - title: Retrieve installed applications + title: Installed applications mql: okta.applications From 25c2ff88111d2cdac0c17a3ccf471edc186e9ecf Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:35:43 -0800 Subject: [PATCH 02/10] Update core/mondoo-openssl-incident-response.mql.yaml Co-authored-by: Letha --- core/mondoo-openssl-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mondoo-openssl-incident-response.mql.yaml b/core/mondoo-openssl-incident-response.mql.yaml index 6568a94..63daeea 100644 --- a/core/mondoo-openssl-incident-response.mql.yaml +++ b/core/mondoo-openssl-incident-response.mql.yaml @@ -27,7 +27,7 @@ packs: title: Installed ssl libraries mql: packages.where(name == /ssl/) - uid: mondoo-openssl-incident-response-listening-ports - title: Listening ports from running systems + title: Listening ports for running systems mql: | if ( mondoo.capabilities.contains('run-command') ) { ports.listening { From 8b552ce2b5604613c88559d5e33b6887f50c9489 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:35:49 -0800 Subject: [PATCH 03/10] Update extra/mondoo-asset-count.mql.yaml Co-authored-by: Letha --- extra/mondoo-asset-count.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-asset-count.mql.yaml b/extra/mondoo-asset-count.mql.yaml index 8b49bc6..a27af62 100644 --- a/extra/mondoo-asset-count.mql.yaml +++ b/extra/mondoo-asset-count.mql.yaml @@ -99,7 +99,7 @@ queries: vsphere.datacenters { hosts.length } - uid: mondoo-asset-count-on-vsphere-cluster-vms - title: VMs from vSphere cluster + title: VMs in vSphere cluster mql: | vsphere.datacenters { vms.length } From e54641831108ebb0099faf66915a5c39bc2132cb Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:35:55 -0800 Subject: [PATCH 04/10] Update extra/mondoo-asset-count.mql.yaml Co-authored-by: Letha --- extra/mondoo-asset-count.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-asset-count.mql.yaml b/extra/mondoo-asset-count.mql.yaml index a27af62..237dc6d 100644 --- a/extra/mondoo-asset-count.mql.yaml +++ b/extra/mondoo-asset-count.mql.yaml @@ -268,7 +268,7 @@ queries: mql: aws.sns.topics.length - uid: mondoo-asset-count-in-windows-domain - title: All computer object from the Windows domain + title: All computer objects in the Windows domain mql: | parse.json(content: powershell('$time = (Get-Date).Adddays(-(180));Get-ADComputer -Filter {LastLogonTimeStamp -ge $time} -properties * | select Name,Enabled,OperatingSystem,OperatingSystemVersion,LastLogonDate | ConvertTo-Json').stdout).params From 2a0493da4a8a1c243fe04d48236482b008aacb68 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:00 -0800 Subject: [PATCH 05/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index bb84183..2e54502 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -63,7 +63,7 @@ packs: - asset.platform == "googleworkspace" || asset.platform == "google-workspace" queries: - uid: mondoo-googleworkspace-incident-response-domain - title: Google Workspace Domains + title: Google Workspace domains mql: googleworkspace.domains { domainName isPrimary verified } - uid: mondoo-googleworkspace-incident-response-user-mfa-status title: Google Workspace Users MFA status From 801753aa27b2ed4597f8c8e862c3f03f034f8086 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:05 -0800 Subject: [PATCH 06/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index 2e54502..a371302 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -69,7 +69,7 @@ packs: title: Google Workspace Users MFA status mql: googleworkspace.users { primaryEmail isEnforcedIn2Sv } - uid: mondoo-googleworkspace-incident-response-super-admins - title: Google Workspace Super Admins + title: Google Workspace super admins mql: googleworkspace.report.users.where( security["isSuperAdmin"] == true) { userEmail } - uid: mondoo-googleworkspace-incident-response-super-admins-without-2FA-enrolled title: Google Workspace Super Admins who are not enrolled in 2FA From 6ec464605343520764398d4477baaff023eb2369 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:13 -0800 Subject: [PATCH 07/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index a371302..85c9294 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -75,7 +75,7 @@ packs: title: Google Workspace Super Admins who are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true && isAdmin == true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-users-without-2FA-enrolled - title: Google Workspace User accounts which are not enrolled in 2FA + title: Google Workspace user accounts that are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-super-admins-without-hardware-based-2fa title: Super Admin accounts which do not employ hardware based security keys From f6fb87f4793947b4616f5d81652a6880f111f48d Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:19 -0800 Subject: [PATCH 08/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index 85c9294..bd52ad8 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -66,7 +66,7 @@ packs: title: Google Workspace domains mql: googleworkspace.domains { domainName isPrimary verified } - uid: mondoo-googleworkspace-incident-response-user-mfa-status - title: Google Workspace Users MFA status + title: Google Workspace users' MFA status mql: googleworkspace.users { primaryEmail isEnforcedIn2Sv } - uid: mondoo-googleworkspace-incident-response-super-admins title: Google Workspace super admins From 2514af734a0387e30082edfded1582cb3042f3f2 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:24 -0800 Subject: [PATCH 09/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index bd52ad8..4b749d3 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -72,7 +72,7 @@ packs: title: Google Workspace super admins mql: googleworkspace.report.users.where( security["isSuperAdmin"] == true) { userEmail } - uid: mondoo-googleworkspace-incident-response-super-admins-without-2FA-enrolled - title: Google Workspace Super Admins who are not enrolled in 2FA + title: Google Workspace super admins who are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true && isAdmin == true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-users-without-2FA-enrolled title: Google Workspace user accounts that are not enrolled in 2FA From 087ee323f79f4c2edde8e7d976a2dbc1edb4ce8f Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 1 Dec 2023 11:36:31 -0800 Subject: [PATCH 10/10] Update extra/mondoo-googleworkplace-incident-response.mql.yaml Co-authored-by: Letha --- extra/mondoo-googleworkplace-incident-response.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/mondoo-googleworkplace-incident-response.mql.yaml b/extra/mondoo-googleworkplace-incident-response.mql.yaml index 4b749d3..18bb4a9 100644 --- a/extra/mondoo-googleworkplace-incident-response.mql.yaml +++ b/extra/mondoo-googleworkplace-incident-response.mql.yaml @@ -78,7 +78,7 @@ packs: title: Google Workspace user accounts that are not enrolled in 2FA mql: googleworkspace.users.where(isEnrolledIn2Sv != true) {primaryEmail isEnrolledIn2Sv isAdmin} - uid: mondoo-googleworkspace-incident-response-super-admins-without-hardware-based-2fa - title: Super Admin accounts which do not employ hardware based security keys + title: Super admin accounts that do not use hardware-based security keys mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true && security["numSecurityKeys"] <= 0 ) {account['adminSetName'] security['numSecurityKeys']} - uid: mondoo-googleworkspace-incident-response-config-drift-recovery-email title: Primary and recovery email accounts of all Google Workspace users