EXPLORE
Sign In
← Back to Explore
elastichighTTP

Forwarded Google Workspace Security Alert

Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.

Detection Query

data_stream.dataset: google_workspace.alert

Author

Elastic

Created

2023/01/15

Data Sources

Google Workspacefilebeat-*logs-google_workspace*

References

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Log AuditingUse Case: Threat DetectionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2023/01/15"
integration = ["google_workspace"]
maturity = "production"
promotion = true
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert
center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning
of a potential security issue that Google has detected.
"""
false_positives = [
    """
    To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
    """,
    "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
]
from = "now-130m"
index = ["filebeat-*", "logs-google_workspace*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "Forwarded Google Workspace Security Alert"
note = """## Setup

## Triage and analysis

This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
Consult vendor documentation on interpreting specific events.
"""
references = [
    "https://workspace.google.com/products/admin/alert-center/",
    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 73
rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
rule_name_override = "google_workspace.alert.type"
severity = "high"
tags = [
    "Domain: Cloud",
    "Data Source: Google Workspace",
    "Use Case: Log Auditing",
    "Use Case: Threat Detection",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: google_workspace.alert
'''


[[rule.severity_mapping]]
field = "google_workspace.alert.metadata.severity"
operator = "equals"
severity = "low"
value = "LOW"

[[rule.severity_mapping]]
field = "google_workspace.alert.metadata.severity"
operator = "equals"
severity = "medium"
value = "MEDIUM"

[[rule.severity_mapping]]
field = "google_workspace.alert.metadata.severity"
operator = "equals"
severity = "high"
value = "HIGH"