Google SecOps External Alerts

  1[metadata]
  2creation_date = "2025/07/31"
  3integration = ["google_secops"]
  4maturity = "production"
  5promotion = true
  6min_stack_version = "8.18.0"
  7min_stack_comments = "Introduced support for Google SecOps alert promotion"
  8updated_date = "2025/08/04"
  9
 10[rule]
 11author = ["Elastic"]
 12description = """
 13Generates a detection alert for each Google SecOps alert written to the configured indices. Enabling this rule allows
 14you to immediately begin investigating Google SecOps alerts in the app.
 15"""
 16from = "now-2m"
 17index = ["logs-google_secops.alert-*"]
 18interval = "1m"
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 1000
 22name = "Google SecOps External Alerts"
 23note = """Triage and analysis
 24
 25### Investigating Google SecOps External Alerts
 26
 27Google SecOps provides a robust framework for monitoring and managing security operations within cloud environments. The rule leverages specific event identifiers to flag suspicious alerts, enabling analysts to swiftly investigate potential threats and mitigate risks.
 28
 29### Possible investigation steps
 30
 31- Examine the timeline of events leading up to and following the alert to identify any unusual patterns or activities that may indicate malicious behavior.
 32- Cross-reference the alert with other security logs and alerts to determine if it is part of a broader attack pattern or isolated incident.
 33- Investigate the source and destination IP addresses involved in the alert to assess their legitimacy and check for any known malicious activity associated with them.
 34- Analyze user activity associated with the alert to identify any unauthorized access or privilege escalation attempts.
 35- Consult the Google SecOps investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
 36
 37### False positive analysis
 38
 39- Alerts triggered by routine administrative actions can be false positives. Review the context of the alert to determine if it aligns with known maintenance activities.
 40- Automated scripts or tools that interact with Google SecOps may generate alerts. Identify these scripts and consider creating exceptions for their expected behavior.
 41- Frequent alerts from specific IP addresses or user accounts that are known to be secure can be excluded by adding them to an allowlist.
 42- Alerts resulting from testing or development environments should be reviewed and, if deemed non-threatening, excluded from triggering further alerts.
 43- Regularly update and review exception lists to ensure they reflect current non-threatening behaviors and do not inadvertently exclude genuine threats.
 44
 45### Response and remediation
 46
 47- Immediately isolate affected systems or accounts identified in the Google SecOps alert to prevent further unauthorized access or data exfiltration.
 48- Conduct a thorough review of the alert details to identify any compromised credentials or access tokens and reset them promptly.
 49- Implement network segmentation or access control measures to limit the spread of potential threats within the environment.
 50- Review and update firewall rules and security group settings to block any suspicious IP addresses or domains associated with the alert.
 51- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional resources are needed.
 52- Document the incident, including all actions taken, and update incident response plans to incorporate lessons learned from this event.
 53- Enhance monitoring and detection capabilities by tuning existing alerts and deploying additional rules to detect similar activities in the future.
 54"""
 55references = ["https://docs.elastic.co/en/integrations/google_secops"]
 56risk_score = 47
 57rule_id = "70558fd5-6448-4c65-804a-8567ce02c3a2"
 58rule_name_override = "google_secops.alert.detection.ruleName"
 59setup = """## Setup
 60
 61### Google SecOps Alert Integration
 62This rule is designed to capture alert events generated by the Google SecOps integration and promote them as Elastic detection alerts.
 63
 64To capture Google SecOps alerts, install and configure the Google SecOps integration to ingest alert events into the `logs-google_secops.alert-*` index pattern.
 65
 66If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:google_secops.alert to avoid receiving duplicate alerts.
 67
 68### Additional notes
 69
 70For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 71"""
 72severity = "medium"
 73tags = ["Data Source: Google SecOps", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
 74timestamp_override = "event.ingested"
 75type = "query"
 76
 77query = '''
 78event.kind: alert and data_stream.dataset: google_secops.alert
 79'''
 80
 81[[rule.risk_score_mapping]]
 82field = "event.risk_score"
 83operator = "equals"
 84value = ""
 85
 86[[rule.severity_mapping]]
 87field = "event.severity"
 88operator = "equals"
 89severity = "low"
 90value = "21"
 91
 92[[rule.severity_mapping]]
 93field = "event.severity"
 94operator = "equals"
 95severity = "medium"
 96value = "47"
 97
 98[[rule.severity_mapping]]
 99field = "event.severity"
100operator = "equals"
101severity = "high"
102value = "73"
103
104[[rule.severity_mapping]]
105field = "event.severity"
106operator = "equals"
107severity = "critical"
108value = "99"