[Google Workspace] Add the domain recipient into the related.hosts field for the rules dataset.

[leandrojmp]

Hello,

In some cases having the domain of the recipients e-mails on the google_workspace.rules dataset can help decide if an alert triggered by Google is an incident or not.

For example, having a DLP rule that will trigger when it detects some kind of information on e-mails or drives, like Credit card nubmers, if this is being shared between recipients on one of the companies domains it may be less critical than if the recipients are from external domains.

Currently the field related.hosts is populated by the user.domain and google_workspace.organization.domain, with the following processors on the logs-google_workspace.rules-XXX ingest pipeline.

  - append:
      field: related.hosts
      value: '{{{user.domain}}}'
      if: ctx.user?.domain != null
      allow_duplicates: false
      ignore_failure: true
  - append:
      field: related.hosts
      value: '{{{google_workspace.organization.domain}}}'
      if: ctx.google_workspace?.organization?.domain != null
      allow_duplicates: false
      ignore_failure: true

It would be nice to have this field being populate also with the domains from the recipients from the field google_workspace.rules.resource.recipients.

I have a working code in production and can make a PR.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Package google_workspace - 2.3.0 containing this change is available at https://epr.elastic.co/search?package=google_workspace