From e5d81e77f77b43a3957cfc34cf7a45e473e1be6e Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 17 Jan 2023 12:09:13 -0500 Subject: [PATCH] [New Rule] Add Google Workspace Alert Center Promotional Rule (#2471) * Add Google Workspace Alert Center Promotional Rule * added severity mapping overrides --- ...ogle_workspace_alert_center_promotion.toml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml new file mode 100644 index 000000000..165410f17 --- /dev/null +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/01/15" +integration = ["google_workspace"] +maturity = "production" +min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" +min_stack_version = "8.4.0" +updated_date = "2023/01/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert +center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning +of a potential security issue that Google has detected. +""" +false_positives = [ + """ + To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule. + """, + "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.", +] +from = "now-130m" +index = ["filebeat-*", "logs-google_workspace*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "Forwarded Google Workspace Security Alert" +note = """## Setup + +## Triage and analysis + +This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. +Consult vendor documentation on interpreting specific events. +""" +references = ["https://workspace.google.com/products/admin/alert-center/"] +risk_score = 73 +rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" +rule_name_override = "google_workspace.alert.type" +severity = "high" +tags = ["Elastic", "Cloud", "Google Workspace", "Log Auditing", "Threat Detection"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: google_workspace.alert +''' + +[[rule.severity_mapping]] +field = "google_workspace.alert.metadata.severity" +value = "LOW" +operator = "equals" +severity = "low" + +[[rule.severity_mapping]] +field = "google_workspace.alert.metadata.severity" +value = "MEDIUM" +operator = "equals" +severity = "medium" + +[[rule.severity_mapping]] +field = "google_workspace.alert.metadata.severity" +value = "HIGH" +operator = "equals" +severity = "high" +