[Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration (#1706)

* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version

rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +36,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/6328701?hl=en#"]
 risk_score = 47
 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd"
@@ -44,6 +46,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION
 '''
 

rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/6160020?hl=en"]
 risk_score = 73
 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0"
@@ -43,6 +45,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS
 '''
 

rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/2406043?hl=en"]
 risk_score = 47
 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf"
@@ -43,6 +45,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE
 '''
 

rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/21"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/9176657?hl=en#"]
 risk_score = 47
 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1"
@@ -43,6 +45,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false
 '''
 

rules/integrations/google_workspace/google_workspace_policy_modified.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/21"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 risk_score = 47
 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73"
 severity = "medium"
@@ -42,17 +44,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and
-  event.provider:admin and event.category:iam and
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and
   event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and
-  gsuite.admin.setting.name:(
-    "Password Management - Enforce strong password" or
-    "Password Management - Password reset frequency" or
-    "Password Management - Enable password reuse" or
-    "Password Management - Enforce password policy at next login" or
-    "Password Management - Minimum password length" or
-    "Password Management - Maximum password length"
-  ) or
   google_workspace.admin.setting.name:(
     "Password Management - Enforce strong password" or
     "Password Management - Password reset frequency" or

rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/21"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 risk_score = 47
 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827"
 severity = "medium"
@@ -42,6 +44,6 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and (gsuite.admin.new_value:false or google_workspace.admin.new_value:false)
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false
 '''
 

rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/172176?hl=en"]
 risk_score = 47
 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6"
@@ -43,7 +45,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE
 '''
 
 

rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/12"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +36,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"]
 risk_score = 47
 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee"
@@ -44,7 +46,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS
 '''
 
 

rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/2406043?hl=en"]
 risk_score = 47
 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be"
@@ -43,7 +45,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:CREATE_ROLE
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE
 '''
 
 

rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml

@@ -1,8 +1,10 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/01/13"
 integration = "google_workspace"
+min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0"
+min_stack_version = "8.0"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html"""
+  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
 references = ["https://support.google.com/a/answer/2406043?hl=en"]
 risk_score = 47
 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5"
@@ -43,7 +45,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
+event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)
 '''