updating data source for google workspace

patel-bhavin · patel-bhavin · commit 56f874234ddf · 2025-02-21T12:52:43.000-08:00
diff --git a/data_sources/google_workspace.yml b/data_sources/google_workspace.yml
@@ -0,0 +1,15 @@
+name: Google Workspace
+id: f1a044e3-113a-4e4d-84f2-b153ade83087
+version: 1
+date: '2025-02-21'
+author: Bhavin Patel, Splunk
+description: Data source object for Google Workspace
+source: google_workspace
+sourcetype: gws:reports:login
+supported_TA:
+- name: Splunk Add-on for Google Workspace
+  url: https://splunkbase.splunk.com/app/5556
+  version: 3.0.2
+fields:
+- _time
+example_log: |-
diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml
@@ -14,7 +14,7 @@ description: The following analytic detects multiple failed multi-factor authent
   allowing attackers to compromise accounts and potentially escalate privileges within
   the GCP environment.
 data_source:
-- Google Workspace login_failure
+- Google Workspace
 search: '`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket
   span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method,  _time
   | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`'
diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml
@@ -13,7 +13,7 @@ description: The following analytic detects a single source IP address failing t
   Platform. If confirmed malicious, this behavior could lead to unauthorized access
   to sensitive resources, data breaches, or further exploitation within the environment.
 data_source:
-- Google Workspace login_failure
+- Google Workspace
 search: '`gws_reports_login` event.type = login event.name = login_failure | bucket
   span=5m _time | stats count dc(user) AS unique_accounts values(user) as tried_accounts
   values(authentication_method) AS authentication_method earliest(_time) as firstTime
diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies a successful single-factor authen
   to data breaches, service disruptions, or further exploitation within the cloud
   environment.
 data_source:
-- Google Workspace login_success
+- Google Workspace
 search: '`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods`
   | stats count min(_time) as firstTime max(_time) as lastTime by user, src_ip,  login_challenge_method,
   app, event.name, vendor_account, action |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies a single source IP failing to aut
   this could lead to unauthorized access, data breaches, or further exploitation within
   the environment.
 data_source:
-- Google Workspace login_failure
+- Google Workspace
 search: '`gws_reports_login` event.type = login event.name = login_failure| bucket
   span=5m _time | stats  dc(user_name) AS unique_accounts values(user_name) as tried_accounts
   values(authentication_method) AS authentication_method by _time, src | eventstats  avg(unique_accounts)
