Forwarded Google Workspace Security Alert
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/15"
3integration = ["google_workspace"]
4maturity = "production"
5min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions"
6min_stack_version = "8.4.0"
7updated_date = "2023/06/22"
8promotion = true
9
10[rule]
11author = ["Elastic"]
12description = """
13Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
14center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
15of a potential security issue that Google has detected.
16"""
17false_positives = [
18 """
19 To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
20 """,
21 "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
22]
23from = "now-130m"
24index = ["filebeat-*", "logs-google_workspace*"]
25interval = "10m"
26language = "kuery"
27license = "Elastic License v2"
28name = "Forwarded Google Workspace Security Alert"
29note = """## Setup
30
31## Triage and analysis
32
33This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
34Consult vendor documentation on interpreting specific events.
35"""
36references = ["https://workspace.google.com/products/admin/alert-center/"]
37risk_score = 73
38rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
39rule_name_override = "google_workspace.alert.type"
40severity = "high"
41tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"]
42timestamp_override = "event.ingested"
43type = "query"
44
45query = '''
46event.dataset: google_workspace.alert
47'''
48
49[[rule.severity_mapping]]
50field = "google_workspace.alert.metadata.severity"
51value = "LOW"
52operator = "equals"
53severity = "low"
54
55[[rule.severity_mapping]]
56field = "google_workspace.alert.metadata.severity"
57value = "MEDIUM"
58operator = "equals"
59severity = "medium"
60
61[[rule.severity_mapping]]
62field = "google_workspace.alert.metadata.severity"
63value = "HIGH"
64operator = "equals"
65severity = "high"
Setup
Triage and analysis
This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
-
Discover how Google Workspace’s Admin Center provides real-time phishing and malware security alerts along with other cyber security tools.
Read More
Related rules
- Application Added to Google Workspace Domain
- Application Removed from Blocklist in Google Workspace
- Azure Command Execution on Virtual Machine
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion