detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] Google Workspace ruleset audit and tuning.

Open shashank-elastic opened this issue 3 months ago • 0 comments

Link to Rule

https://github.com/elastic/detection-rules/tree/ee0dda80fbbfb3aebdb2d5fb9221575dafeb1168/rules/integrations/google_workspace

Rule Tuning Type

Contextual Tuning - Customizing rules based on specific environment factors.

Description

Based on the recent announcement of enhanced-admin-audit-log-events and a detailed support article of what is being changed in google workspace enhanced admin audit log events, some of these changes captured below directly affect our current ruleset.

The updates involve changes to event names, event types, and the volume of these affected log events. Some legacy events may be redundant as a part of this change. If you're using any legacy events, some of the updates might require changes to your existing queries, alerts, and reports to get the full benefit of the changes. Both the new and old events will continue to be available for you to make the necessary changes.

Evaluate the impact of these changes on the current ruleset of Google Workspace in detection-rules

Example Rules

Sample rules that need to be checked from the existing google workspace ruleset.

https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml https://github.com/elastic/detection-rules/blob/f52aedf41d6b9203647ff37588b14095137e49d2/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml https://github.com/elastic/detection-rules/blob/f52aedf41d6b9203647ff37588b14095137e49d2/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml

Dependent on Integration Fix

  • https://github.com/elastic/integrations/issues/15821

shashank-elastic avatar Oct 31 '25 10:10 shashank-elastic