Forwarded Google Workspace Security Alert
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/15"
3integration = ["google_workspace"]
4maturity = "production"
5promotion = true
6updated_date = "2024/09/23"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
12center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
13of a potential security issue that Google has detected.
14"""
15false_positives = [
16 """
17 To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
18 """,
19 "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "Forwarded Google Workspace Security Alert"
27note = """## Setup
28
29## Triage and analysis
30
31This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
32Consult vendor documentation on interpreting specific events.
33"""
34references = [
35 "https://workspace.google.com/products/admin/alert-center/",
36 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
37 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
38]
39risk_score = 73
40rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
41rule_name_override = "google_workspace.alert.type"
42severity = "high"
43tags = [
44 "Domain: Cloud",
45 "Data Source: Google Workspace",
46 "Use Case: Log Auditing",
47 "Use Case: Threat Detection",
48]
49timestamp_override = "event.ingested"
50type = "query"
51
52query = '''
53event.dataset: google_workspace.alert
54'''
55
56
57[[rule.severity_mapping]]
58field = "google_workspace.alert.metadata.severity"
59operator = "equals"
60severity = "low"
61value = "LOW"
62
63[[rule.severity_mapping]]
64field = "google_workspace.alert.metadata.severity"
65operator = "equals"
66severity = "medium"
67value = "MEDIUM"
68
69[[rule.severity_mapping]]
70field = "google_workspace.alert.metadata.severity"
71operator = "equals"
72severity = "high"
73value = "HIGH"
Setup
Triage and analysis
This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
-
Discover how Google Workspace’s Admin Center provides real-time phishing and malware security alerts along with other cyber security tools.
Read More -
During this multipart series, we’ll help you understand what GW is and some of the common risks to be aware of, while encouraging you to take control of your enterprise resources.
Read More -
During part two of this multipart series, we’ll help you understand how to setup a GW lab for threat detection and research.
Read More
Related rules
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Domain Added to Google Workspace Trusted Domains
- External User Added to Google Workspace Group
- First Time Seen Google Workspace OAuth Login from Third-Party Application