[Rule Tuning] Update Google Workspace rules to use google_workspace event schema (#1374)

* use google_workspace event schema

* update to use google_workspace schema

rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -42,6 +42,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and gsuite.admin.new_value:false
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)
 '''
 

rules/google-workspace/google_workspace_policy_modified.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -51,6 +51,14 @@ event.dataset:(gsuite.admin or google_workspace.admin) and
     "Password Management - Enforce password policy at next login" or
     "Password Management - Minimum password length" or
     "Password Management - Maximum password length"
+  ) or
+  google_workspace.admin.setting.name:(
+    "Password Management - Enforce strong password" or
+    "Password Management - Password reset frequency" or
+    "Password Management - Enable password reuse" or
+    "Password Management - Enforce password policy at next login" or
+    "Password Management - Minimum password length" or
+    "Password Management - Maximum password length"
   )
 '''
 

rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -41,6 +41,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and gsuite.admin.new_value:false
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)
 '''