You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some cases having the domain of the recipients e-mails on the google_workspace.rules dataset can help decide if an alert triggered by Google is an incident or not.
For example, having a DLP rule that will trigger when it detects some kind of information on e-mails or drives, like Credit card nubmers, if this is being shared between recipients on one of the companies domains it may be less critical than if the recipients are from external domains.
Currently the field related.hosts is populated by the user.domain and google_workspace.organization.domain, with the following processors on the logs-google_workspace.rules-XXX ingest pipeline.
It would be nice to have this field being populate also with the domains from the recipients from the field google_workspace.rules.resource.recipients.
I have a working code in production and can make a PR.
The text was updated successfully, but these errors were encountered:
Hello,
In some cases having the domain of the recipients e-mails on the
google_workspace.rules
dataset can help decide if an alert triggered by Google is an incident or not.For example, having a DLP rule that will trigger when it detects some kind of information on e-mails or drives, like Credit card nubmers, if this is being shared between recipients on one of the companies domains it may be less critical than if the recipients are from external domains.
Currently the field
related.hosts
is populated by theuser.domain
andgoogle_workspace.organization.domain
, with the following processors on thelogs-google_workspace.rules-XXX
ingest pipeline.It would be nice to have this field being populate also with the domains from the recipients from the field
google_workspace.rules.resource.recipients
.I have a working code in production and can make a PR.
The text was updated successfully, but these errors were encountered: