Forwarded Google Workspace Security Alert
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/15"
3integration = ["google_workspace"]
4maturity = "production"
5promotion = true
6updated_date = "2025/01/15"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
12center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
13of a potential security issue that Google has detected.
14"""
15false_positives = [
16 """
17 To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
18 """,
19 "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "Forwarded Google Workspace Security Alert"
27note = """## Setup
28
29## Triage and analysis
30
31This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
32Consult vendor documentation on interpreting specific events.
33"""
34references = [
35 "https://workspace.google.com/products/admin/alert-center/",
36 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
37 "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
38]
39risk_score = 73
40rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
41rule_name_override = "google_workspace.alert.type"
42severity = "high"
43tags = [
44 "Domain: Cloud",
45 "Data Source: Google Workspace",
46 "Use Case: Log Auditing",
47 "Use Case: Threat Detection",
48 "Resources: Investigation Guide",
49]
50timestamp_override = "event.ingested"
51type = "query"
52
53query = '''
54event.dataset: google_workspace.alert
55'''
56
57
58[[rule.severity_mapping]]
59field = "google_workspace.alert.metadata.severity"
60operator = "equals"
61severity = "low"
62value = "LOW"
63
64[[rule.severity_mapping]]
65field = "google_workspace.alert.metadata.severity"
66operator = "equals"
67severity = "medium"
68value = "MEDIUM"
69
70[[rule.severity_mapping]]
71field = "google_workspace.alert.metadata.severity"
72operator = "equals"
73severity = "high"
74value = "HIGH"
toml
Setup
Triage and analysis
This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
Related rules
- AWS SQS Queue Purge
- AWS SSM `SendCommand` Execution by Rare User
- AWS CloudTrail Log Created
- AWS Discovery API Calls via CLI from a Single Resource
- AWS EC2 Deprecated AMI Discovery