Forwarded Google Workspace Security Alert | Elastic Security Solution [8.13]

› › ›

« FirstTime Seen Account Performing DCSync Full User-Mode Dumps Enabled System-Wide »

Forwarded Google Workspace Security Alertedit

Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace’s security alert center provides an overview of actionable alerts that may be affecting an organization’s domain. An alert is a warning of a potential security issue that Google has detected.

Rule type: query

Rule indices:

filebeat-*
logs-google_workspace*

Severity: high

Risk score: 73

Runs every: 10m

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://workspace.google.com/products/admin/alert-center/

Tags:

Domain: Cloud
Data Source: Google Workspace
Use Case: Log Auditing
Use Case: Threat Detection

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Triage and analysis

This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.

Setupedit

Rule queryedit

event.dataset: google_workspace.alert

« FirstTime Seen Account Performing DCSync Full User-Mode Dumps Enabled System-Wide »