Forwarded Google Workspace Security Alertedit

Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace’s security alert center provides an overview of actionable alerts that may be affecting an organization’s domain. An alert is a warning of a potential security issue that Google has detected.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-google_workspace*

Severity: high

Risk score: 73

Runs every: 10m

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Domain: Cloud
  • Data Source: Google Workspace
  • Use Case: Log Auditing
  • Use Case: Threat Detection

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guideedit

## Triage and analysis

This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
Consult vendor documentation on interpreting specific events.

Rule queryedit

event.dataset: google_workspace.alert