Forwarded Google Workspace Security Alert
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/15"
3integration = ["google_workspace"]
4maturity = "production"
5promotion = true
6updated_date = "2024/05/21"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
12center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
13of a potential security issue that Google has detected.
14"""
15false_positives = [
16 """
17 To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
18 """,
19 "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
20]
21from = "now-130m"
22index = ["filebeat-*", "logs-google_workspace*"]
23interval = "10m"
24language = "kuery"
25license = "Elastic License v2"
26name = "Forwarded Google Workspace Security Alert"
27note = """## Setup
28
29## Triage and analysis
30
31This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
32Consult vendor documentation on interpreting specific events.
33"""
34references = ["https://workspace.google.com/products/admin/alert-center/"]
35risk_score = 73
36rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
37rule_name_override = "google_workspace.alert.type"
38severity = "high"
39tags = [
40 "Domain: Cloud",
41 "Data Source: Google Workspace",
42 "Use Case: Log Auditing",
43 "Use Case: Threat Detection",
44]
45timestamp_override = "event.ingested"
46type = "query"
47
48query = '''
49event.dataset: google_workspace.alert
50'''
51
52
53[[rule.severity_mapping]]
54field = "google_workspace.alert.metadata.severity"
55operator = "equals"
56severity = "low"
57value = "LOW"
58
59[[rule.severity_mapping]]
60field = "google_workspace.alert.metadata.severity"
61operator = "equals"
62severity = "medium"
63value = "MEDIUM"
64
65[[rule.severity_mapping]]
66field = "google_workspace.alert.metadata.severity"
67operator = "equals"
68severity = "high"
69value = "HIGH"
Setup
Triage and analysis
This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
-
Discover how Google Workspace’s Admin Center provides real-time phishing and malware security alerts along with other cyber security tools.
Read More
Related rules
- AWS CloudTrail Log Created
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudTrail Log Updated
- AWS CloudWatch Log Group Deletion