Hi everyone,
I’m reaching out to check whether others are experiencing issues with the curated detection ruleset Workspace: Data Exfiltration from Gmail in Google SecOps.
We’re using the recommended direct ingestion path for WORKSPACE_ACTIVITY logs (including Gmail). While the ingestion and parsing work, we’ve noticed that the UDM fields produced by the Workspace Activity parser do not align with what the curated detection rules expect — specifically in the Workspace: Data Exfiltration from Gmail ruleset.
Examples of mismatches include:
- principal.application is populated with only the message_info.source.service value (e.g., gmail-ui), while the curated rule expects a concatenated value such as gmail-ui send.
- The selector value is placed under additional.fields instead of a field the curated rule monitors.
- metadata.product_name is mapped as gmail (lowercase) even though some curated rules appear to expect GMAIL (uppercase), with no case-insensitive matching applied.
The curated rules do not appear to match the current parser output, leading to detections that are effectively non-functional out of the box. I were informed that the curated detection depend on the GMAIL_LOGS label, which I have no idea how to apply. The rules affected are:
- Excessive Sensitive Emails Sent By User
- Excessive External Emails Sent By Sender and Receiver
- Workspace: Arbitrary High Number of External Emails Sent by a User with Attachments
- Anomalous Gmail Outbound Bytes to Freemail Accounts by User
Has anyone else encountered this?
Are your Gmail-related curated detections triggering as expected with direct Workspace Activity ingestion?
Would appreciate hearing whether this is an isolated case or something others are seeing as well.
Thanks in advance!
