prowler-cloud · danibarranqueroo · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
@@ -9,6 +9,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `application` service for Okta provider with `application_admin_console_session_idle_timeout_15min`, `application_admin_console_mfa_required`, `application_admin_console_phishing_resistant_authentication`, `application_dashboard_mfa_required`, `application_dashboard_phishing_resistant_authentication`, and `application_authentication_policy_network_zone_enforced` checks [(#11358)](https://github.com/prowler-cloud/prowler/pull/11358)
 - AWS AI Security Framework compliance for AWS provider [(#11353)](https://github.com/prowler-cloud/prowler/pull/11353)
 - `storage_account_public_network_access_disabled` check for Azure provider and remapped the Azure CIS "Public Network Access is Disabled" requirements to it [(#11334)](https://github.com/prowler-cloud/prowler/pull/11334)
+- 8 Rules service checks for Google Workspace provider using the Cloud Identity Policy API [(#11379)](https://github.com/prowler-cloud/prowler/pull/11379)
 - 12 Security service checks for Google Workspace provider using the Cloud Identity Policy API [(#11356)](https://github.com/prowler-cloud/prowler/pull/11356)
 
 ### 🐞 Fixed

@@ -1827,7 +1827,9 @@
     {
       "Id": "6.1",
       "Description": "Ensure User's password changed is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_password_changed_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1848,7 +1850,9 @@
     {
       "Id": "6.2",
       "Description": "Ensure Government-backed attacks is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_government_backed_attacks_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1869,7 +1873,9 @@
     {
       "Id": "6.3",
       "Description": "Ensure User suspended due to suspicious activity is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_activity_suspension_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1890,7 +1896,9 @@
     {
       "Id": "6.4",
       "Description": "Ensure User granted Admin privilege is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_admin_privilege_granted_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1911,7 +1919,9 @@
     {
       "Id": "6.5",
       "Description": "Ensure Suspicious programmatic login is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_programmatic_login_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1932,7 +1942,9 @@
     {
       "Id": "6.6",
       "Description": "Ensure Suspicious login is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_suspicious_login_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1953,7 +1965,9 @@
     {
       "Id": "6.7",
       "Description": "Ensure Leaked password is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_leaked_password_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",
@@ -1974,7 +1988,9 @@
     {
       "Id": "6.8",
       "Description": "Ensure Gmail potential employee spoofing is configured",
-      "Checks": [],
+      "Checks": [
+        "rules_gmail_employee_spoofing_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "6 Rules",

@@ -427,7 +427,16 @@
     {
       "Id": "GWS.COMMONCONTROLS.13.1",
       "Description": "All system-defined alerting rules SHALL be enabled with alerts sent to admin email addresses",
-      "Checks": [],
+      "Checks": [
+        "rules_password_changed_alert_configured",
+        "rules_government_backed_attacks_alert_configured",
+        "rules_suspicious_activity_suspension_alert_configured",
+        "rules_admin_privilege_granted_alert_configured",
+        "rules_suspicious_programmatic_login_alert_configured",
+        "rules_suspicious_login_alert_configured",
+        "rules_leaked_password_alert_configured",
+        "rules_gmail_employee_spoofing_alert_configured"
+      ],
       "Attributes": [
         {
           "Section": "Common Controls",

@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "rules_admin_privilege_granted_alert_configured",
+  "CheckTitle": "User granted Admin privilege alert rule is configured",
+  "CheckType": [],
+  "ServiceName": "rules",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "monitoring",
+  "Description": "The **User granted Admin privilege** system-defined alert rule should be enabled with alerts sent to the alert center, email notifications turned on, and recipients set to all super administrators. This ensures administrators are notified when a user is given elevated admin privileges.",
+  "Risk": "Without this alert enabled, administrators will not be notified when users receive **elevated admin privileges**. Unauthorized privilege escalation could indicate account compromise or insider threats and requires immediate verification.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Select **Rules**\n3. Under **Google protects you by default** select **View list**\n4. Scroll to **User granted Admin privilege** and select it\n5. Within the Actions pane, click the edit pencil\n6. Select **Send to alert center** to set the alert to ON\n7. Set the alert severity to **Medium**\n8. Select **Send email notifications**\n9. Ensure **All super administrators** is selected as recipients\n10. Click **Review** to confirm the values\n11. Click **Update Rule**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure the **User granted Admin privilege** alert rule with alert center ON, email notifications ON, and recipients set to **all super administrators**.",
+      "Url": "https://hub.prowler.com/check/rules_admin_privilege_granted_alert_configured"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,61 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.rules.rules_client import (
+    rules_client,
+)
+
+RULE_NAME = "User granted Admin privilege"
+
+
+class rules_admin_privilege_granted_alert_configured(Check):
+    """Check that the User granted Admin privilege system-defined alert rule is fully configured."""
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if rules_client.policies_fetched:
+            for alert in rules_client.system_defined_alerts:
+                if alert.display_name != RULE_NAME:
+                    continue
+
+                domain = rules_client.provider.identity.domain
+                report = CheckReportGoogleWorkspace(
+                    metadata=self.metadata(),
+                    resource=alert,
+                    resource_id="system_defined_alert",
+                    resource_name=RULE_NAME,
+                    customer_id=rules_client.provider.identity.customer_id,
+                )
+
+                is_active = alert.state == "ACTIVE"
+                has_recipients = alert.email_notifications_enabled
+                all_super_admins = alert.all_super_admins
+
+                if is_active and has_recipients and all_super_admins:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"System-defined alert rule '{RULE_NAME}' is properly "
+                        f"configured in domain {domain}: alert is ON, email "
+                        f"notifications are enabled, and recipients include "
+                        f"all super administrators."
+                    )
+                else:
+                    report.status = "FAIL"
+                    issues = []
+                    if not is_active:
+                        issues.append("alert is OFF")
+                    if not has_recipients:
+                        issues.append("email notifications are disabled")
+                    elif not all_super_admins:
+                        issues.append(
+                            "email recipients do not include all super administrators"
+                        )
+                    report.status_extended = (
+                        f"System-defined alert rule '{RULE_NAME}' is not properly "
+                        f"configured in domain {domain}: {', '.join(issues)}."
+                    )
+
+                findings.append(report)
+
+        return findings
@@ -0,0 +1,6 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.googleworkspace.services.rules.rules_service import (
+    Rules,
+)
+
+rules_client = Rules(Provider.get_global_provider())
@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "rules_gmail_employee_spoofing_alert_configured",
+  "CheckTitle": "Gmail potential employee spoofing alert rule is configured",
+  "CheckType": [],
+  "ServiceName": "rules",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "monitoring",
+  "Description": "The **Gmail potential employee spoofing** system-defined alert rule should be enabled with alerts sent to the alert center, email notifications turned on, and recipients set to all super administrators. This ensures administrators are notified when incoming messages have a sender name matching the directory but from an external domain.",
+  "Risk": "Without this alert enabled, administrators will not be notified of potential **employee spoofing via email**. Attackers may impersonate internal employees using external email addresses to conduct phishing attacks against the organization.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Select **Rules**\n3. Under **Google protects you by default** select **View list**\n4. Scroll to **Gmail potential employee spoofing** and select it\n5. Within the Actions pane, click the edit pencil\n6. Select **Send to alert center** to set the alert to ON\n7. Set the alert severity to **Medium**\n8. Select **Send email notifications**\n9. Ensure **All super administrators** is selected as recipients\n10. Click **Review** to confirm the values\n11. Click **Update Rule**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure the **Gmail potential employee spoofing** alert rule with alert center ON, email notifications ON, and recipients set to **all super administrators**.",
+      "Url": "https://hub.prowler.com/check/rules_gmail_employee_spoofing_alert_configured"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,61 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.rules.rules_client import (
+    rules_client,
+)
+
+RULE_NAME = "Gmail potential employee spoofing"
+
+
+class rules_gmail_employee_spoofing_alert_configured(Check):
+    """Check that the Gmail potential employee spoofing system-defined alert rule is fully configured."""
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if rules_client.policies_fetched:
+            for alert in rules_client.system_defined_alerts:
+                if alert.display_name != RULE_NAME:
+                    continue
+
+                domain = rules_client.provider.identity.domain
+                report = CheckReportGoogleWorkspace(
+                    metadata=self.metadata(),
+                    resource=alert,
+                    resource_id="system_defined_alert",
+                    resource_name=RULE_NAME,
+                    customer_id=rules_client.provider.identity.customer_id,
+                )
+
+                is_active = alert.state == "ACTIVE"
+                has_recipients = alert.email_notifications_enabled
+                all_super_admins = alert.all_super_admins
+
+                if is_active and has_recipients and all_super_admins:
+                    report.status = "PASS"
+                    report.status_extended = (
+                        f"System-defined alert rule '{RULE_NAME}' is properly "
+                        f"configured in domain {domain}: alert is ON, email "
+                        f"notifications are enabled, and recipients include "
+                        f"all super administrators."
+                    )
+                else:
+                    report.status = "FAIL"
+                    issues = []
+                    if not is_active:
+                        issues.append("alert is OFF")
+                    if not has_recipients:
+                        issues.append("email notifications are disabled")
+                    elif not all_super_admins:
+                        issues.append(
+                            "email recipients do not include all super administrators"
+                        )
+                    report.status_extended = (
+                        f"System-defined alert rule '{RULE_NAME}' is not properly "
+                        f"configured in domain {domain}: {', '.join(issues)}."
+                    )
+
+                findings.append(report)
+
+        return findings
@@ -0,0 +1,37 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "rules_government_backed_attacks_alert_configured",
+  "CheckTitle": "Government-backed attacks alert rule is configured",
+  "CheckType": [],
+  "ServiceName": "rules",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "monitoring",
+  "Description": "The **Government-backed attacks** system-defined alert rule should be enabled with alerts sent to the alert center, email notifications turned on, and recipients set to all super administrators. This ensures administrators are notified when Google believes users are being targeted by a government-backed attacker.",
+  "Risk": "Without this alert enabled, administrators will not be notified of potential **government-backed attacks** targeting their users. These attacks are sophisticated and require immediate response to protect affected accounts and investigate the threat.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://knowledge.workspace.google.com/admin/reports/view-and-edit-system-defined-rules",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Select **Rules**\n3. Under **Google protects you by default** select **View list**\n4. Scroll to **Government-backed attacks** and select it\n5. Within the Actions pane, click the edit pencil\n6. Select **Send to alert center** to set the alert to ON\n7. Set the alert severity to **High**\n8. Select **Send email notifications**\n9. Ensure **All super administrators** is selected as recipients\n10. Click **Review** to confirm the values\n11. Click **Update Rule**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure the **Government-backed attacks** alert rule with alert center ON, email notifications ON, and recipients set to **all super administrators**.",
+      "Url": "https://hub.prowler.com/check/rules_government_backed_attacks_alert_configured"
+    }
+  },
+  "Categories": [
+    "forensics-ready"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}