elastic
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc
Lines changed: 2 additions & 2 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc
Lines changed: 2 additions & 2 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc
Lines changed: 2 additions & 2 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc
Lines changed: 71 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc
Lines changed: 71 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc
Lines changed: 71 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc
Lines changed: 71 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc
Lines changed: 82 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc
Lines changed: 82 additions & 0 deletions
diff --git a/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc
Lines changed: 71 additions & 0 deletions b/‎docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc
Lines changed: 71 additions & 0 deletions
@@ -45,7 +45,7 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl
 ==== Investigation guide
 
 
-[source, markdown]
+[source, markdown, subs="attributes"]
 ----------------------------------
 ## Config
 
@@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information.
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
 ----------------------------------
 
 ==== Rule query
 
@@ -43,7 +43,7 @@ Detects when a Google Workspace password policy is modified. An adversary may at
 ==== Investigation guide
 
 
-[source, markdown]
+[source, markdown, subs="attributes"]
 ----------------------------------
 ## Config
 
@@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information.
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
 ----------------------------------
 
 ==== Rule query
 
@@ -43,7 +43,7 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac
 ==== Investigation guide
 
 
-[source, markdown]
+[source, markdown, subs="attributes"]
 ----------------------------------
 ## Config
 
@@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
 - See the following references for further information.
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
 ----------------------------------
 
 ==== Rule query
 
@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-1-application-added-to-google-workspace-domain]]
+=== Application Added to Google Workspace Domain
+
+Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-google_workspace*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://support.google.com/a/answer/6328701?hl=en#
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* Google Workspace
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown, subs="attributes"]
+----------------------------------
+## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION
+
+----------------------------------
@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains]]
+=== Domain Added to Google Workspace Trusted Domains
+
+Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-google_workspace*
+
+*Severity*: high
+
+*Risk score*: 73
+
+*Runs every*: 10m
+
+*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://support.google.com/a/answer/6160020?hl=en
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* Google Workspace
+* Continuous Monitoring
+* SecOps
+* Configuration Audit
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown, subs="attributes"]
+----------------------------------
+## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS
+
+----------------------------------
@@ -0,0 +1,82 @@
+[[prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user]]
+=== Google Workspace Admin Role Assigned to a User
+
+Detects when an admin role is assigned to a Google Workspace user. An adversary may assign an admin role to a user in order to elevate the permissions of another user account and persist in their target’s environment.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-google_workspace*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://support.google.com/a/answer/172176?hl=en
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* Google Workspace
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown, subs="attributes"]
+----------------------------------
+## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE
+
+----------------------------------
+
+*Framework*: MITRE ATT&CK^TM^
+
+* Tactic:
+** Name: Persistence
+** ID: TA0003
+** Reference URL: https://attack.mitre.org/tactics/TA0003/
+* Technique:
+** Name: Account Manipulation
+** ID: T1098
+** Reference URL: https://attack.mitre.org/techniques/T1098/
@@ -0,0 +1,71 @@
+[[prebuilt-rule-0-14-1-google-workspace-admin-role-deletion]]
+=== Google Workspace Admin Role Deletion
+
+Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.
+
+*Rule type*: query
+
+*Rule indices*: 
+
+* filebeat-*
+* logs-google_workspace*
+
+*Severity*: medium
+
+*Risk score*: 47
+
+*Runs every*: 10m
+
+*Searches indices from*: now-130m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)
+
+*Maximum alerts per execution*: 100
+
+*References*: 
+
+* https://support.google.com/a/answer/2406043?hl=en
+
+*Tags*: 
+
+* Elastic
+* Cloud
+* Google Workspace
+* Continuous Monitoring
+* SecOps
+* Identity and Access
+
+*Version*: 5
+
+*Rule authors*: 
+
+* Elastic
+
+*Rule license*: Elastic License v2
+
+
+==== Investigation guide
+
+
+[source, markdown, subs="attributes"]
+----------------------------------
+## Config
+
+The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+### Important Information Regarding Google Workspace Event Lag Times
+- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
+- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
+- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
+- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- See the following references for further information:
+  - https://support.google.com/a/answer/7061566
+  - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html
+----------------------------------
+
+==== Rule query
+
+
+[source, js]
+----------------------------------
+event.dataset:(gsuite.admin or google_workspace.admin) and event.provider:admin and event.category:iam and event.action:DELETE_ROLE
+
+----------------------------------