detection.wiki

Detection rules › YARA-L

Google Workspace Alerts Aggregated By Severity

Type
Alert
Time window
1h
Match by
severity
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Generates alerts based on Google Workspace alerts center and aggregates them based on severity.

Rule body yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule google_workspace_alerts_aggregated_by_severity {

  meta:
    author = "Google Cloud Security"
    description = "Generates alerts based on Google Workspace alerts center and aggregates them based on severity."
    rule_id = "mr_311cc4ab-627b-43a1-a744-8d7aa5e44fbf"
    rule_name = "Google Workspace Alerts Aggregated By Severity"
    type = "Alert"
    data_source = "Workspace Alerts"

  events:
    $ws.metadata.vendor_name = "Google Workspace"
    $ws.metadata.product_name = "Google Workspace Alerts"
    $ws.security_result.severity = $severity

  match:
    $severity over 1h

  outcome:
    $risk_score = max(30 +
        if($ws.security_result.severity = "LOW", 10)+
        if($ws.security_result.severity = "MEDIUM", 30)+
        if($ws.security_result.severity = "HIGH", 50)
    )
    $event_count = count_distinct($ws.metadata.id)
    $event_type = array_distinct($ws.metadata.event_type)
    $product_event_type = array_distinct($ws.metadata.product_event_type)
    $security_category_details = array_distinct($ws.security_result.category_details)
    $security_category = array_distinct($ws.security_result.category)
    $security_investigation_tool_link = array_distinct($ws.security_result.detection_fields["security_investigation_tool_link"])
    $security_summary = array_distinct($ws.security_result.summary)
    $alert_severity = array_distinct($ws.security_result.severity)

  condition:
    $ws
}

Detection logic

Fires when at least one $ws event in the 1h window.

Events

$ws

No field filters (binds the event for correlation only).

Correlation

Match key
$severity (security_result.severity)
Within
1h

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_scoremax(30 + if($ws.security_result.severity = "LOW", 10)+ if($ws.security_result.severity = "MEDIUM", 30)+ if($ws.security_result.severity = "HIGH", 50) )
event_countcount_distinct($ws.metadata.id)
event_typearray_distinct($ws.metadata.event_type)
product_event_typearray_distinct($ws.metadata.product_event_type)
security_category_detailsarray_distinct($ws.security_result.category_details)
security_categoryarray_distinct($ws.security_result.category)
security_investigation_tool_linkarray_distinct($ws.security_result.detection_fields["security_investigation_tool_link"])
security_summaryarray_distinct($ws.security_result.summary)
alert_severityarray_distinct($ws.security_result.severity)