Forwarded Google Workspace Security Alert

Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/15"
 3integration = ["google_workspace"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2025/01/15"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
12center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
13of a potential security issue that Google has detected.
14"""
15false_positives = [
16    """
17    To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
18    """,
19    "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "Forwarded Google Workspace Security Alert"
27note = """## Setup
28
29## Triage and analysis
30
31This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
32Consult vendor documentation on interpreting specific events.
33"""
34references = [
35    "https://workspace.google.com/products/admin/alert-center/",
36    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
37    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
38]
39risk_score = 73
40rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
41rule_name_override = "google_workspace.alert.type"
42severity = "high"
43tags = [
44    "Domain: Cloud",
45    "Data Source: Google Workspace",
46    "Use Case: Log Auditing",
47    "Use Case: Threat Detection",
48    "Resources: Investigation Guide",
49]
50timestamp_override = "event.ingested"
51type = "query"
52
53query = '''
54event.dataset: google_workspace.alert
55'''
56
57
58[[rule.severity_mapping]]
59field = "google_workspace.alert.metadata.severity"
60operator = "equals"
61severity = "low"
62value = "LOW"
63
64[[rule.severity_mapping]]
65field = "google_workspace.alert.metadata.severity"
66operator = "equals"
67severity = "medium"
68value = "MEDIUM"
69
70[[rule.severity_mapping]]
71field = "google_workspace.alert.metadata.severity"
72operator = "equals"
73severity = "high"
74value = "HIGH"
...
toml

This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.

References

Related rules

to-top