diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 62c416df9..dbe8480ee 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/19" [rule] author = ["Elastic"] @@ -59,6 +59,7 @@ OAuth is a protocol that allows third-party applications to access user data wit - Review and update OAuth application permissions and policies to ensure that only trusted applications have access to sensitive data and services. ## Setup + The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. ### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 1a25f272c..46a1d328e 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2025/02/19" [rule] author = ["Elastic"] @@ -71,6 +71,7 @@ This rule aims to detect when a user copies an external Drive object to their Dr - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). ## Setup + The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. ### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index b5d000ff9..198052a76 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/19" min_stack_version = "8.15.0" min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." @@ -39,6 +39,7 @@ This rule detects the first occurrence of an Okta user session started via a pro - Conduct a review of Okta policies and ensure they are in accordance with security best practices. ## Setup + The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index 62e93f7dd..7afee2022 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/19" min_stack_version = "8.15.0" min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." @@ -53,6 +53,7 @@ Typically, adversaries initially extract credentials from targeted endpoints thr - With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID. ## Setup + The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events. """ references = [