Skip to content

[Rule Tuning] Google Workspace ruleset audit and tuning. #5270

New issue
New issue
Open
Open
[Rule Tuning] Google Workspace ruleset audit and tuning.#5270
Assignees
shashank-elastic
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE
@shashank-elastic

Description

@shashank-elastic
shashank-elastic
opened on Oct 31, 2025

Link to Rule

https://github.com/elastic/detection-rules/tree/ee0dda80fbbfb3aebdb2d5fb9221575dafeb1168/rules/integrations/google_workspace

Rule Tuning Type

Contextual Tuning - Customizing rules based on specific environment factors.

Description

Based on the recent announcement of enhanced-admin-audit-log-events and a detailed support article of what is being changed in google workspace enhanced admin audit log events, some of these changes captured below directly affect our current ruleset.

The updates involve changes to event names, event types, and the volume of these affected log events. Some legacy events may be redundant as a part of this change. If you're using any legacy events, some of the updates might require changes to your existing queries, alerts, and reports to get the full benefit of the changes. Both the new and old events will continue to be available for you to make the necessary changes.

Evaluate the impact of these changes on the current ruleset of Google Workspace in detection-rules

Example Rules

Sample rules that need to be checked from the existing google workspace ruleset.

https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml
https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
https://github.com/elastic/detection-rules/blob/f52aedf41d6b9203647ff37588b14095137e49d2/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
https://github.com/elastic/detection-rules/blob/f52aedf41d6b9203647ff37588b14095137e49d2/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml

Dependent on Integration Fix

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADE

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions