From 2246ba375712732de2ce465d8d35f112b9f8977f Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Wed, 26 Jan 2022 11:53:18 -0500 Subject: [PATCH] [DOCS] Fix links to filebeat Google Workspace module (#1441) Updates links to the [Filebeat Google Workspace module](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html) so they don't break when we change the current Stack version to 8.0. Relates to https://github.com/elastic/docs/pull/2312 (cherry picked from commit 325d4016fb45c048b6e96611880b3b48bb9a8bea) # Conflicts: # docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc # docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc # docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc # docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc --- ...ogle-workspace-mfa-enforcement-disabled.asciidoc | 4 ++-- ...ogle-workspace-password-policy-modified.asciidoc | 4 ++-- ...abled-for-google-workspace-organization.asciidoc | 4 ++-- ...cation-added-to-google-workspace-domain.asciidoc | 4 ++-- ...ded-to-google-workspace-trusted-domains.asciidoc | 4 ++-- ...workspace-admin-role-assigned-to-a-user.asciidoc | 4 ++-- ...-1-google-workspace-admin-role-deletion.asciidoc | 4 ++-- ...via-domain-wide-delegation-of-authority.asciidoc | 4 ++-- ...gle-workspace-custom-admin-role-created.asciidoc | 4 ++-- ...ogle-workspace-mfa-enforcement-disabled.asciidoc | 4 ++-- ...ogle-workspace-password-policy-modified.asciidoc | 4 ++-- ...e-0-14-1-google-workspace-role-modified.asciidoc | 4 ++-- ...abled-for-google-workspace-organization.asciidoc | 4 ++-- ...cation-added-to-google-workspace-domain.asciidoc | 13 +++++++++++++ ...ded-to-google-workspace-trusted-domains.asciidoc | 13 +++++++++++++ ...workspace-admin-role-assigned-to-a-user.asciidoc | 13 +++++++++++++ .../google-workspace-admin-role-deletion.asciidoc | 13 +++++++++++++ ...via-domain-wide-delegation-of-authority.asciidoc | 13 +++++++++++++ ...gle-workspace-custom-admin-role-created.asciidoc | 13 +++++++++++++ ...ogle-workspace-mfa-enforcement-disabled.asciidoc | 13 +++++++++++++ ...ogle-workspace-password-policy-modified.asciidoc | 13 +++++++++++++ .../google-workspace-role-modified.asciidoc | 13 +++++++++++++ ...abled-for-google-workspace-organization.asciidoc | 13 +++++++++++++ 23 files changed, 156 insertions(+), 26 deletions(-) diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc index 45b97751d8..e4fda1843f 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc @@ -45,7 +45,7 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc index b3a22ce201..43412eb473 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc @@ -43,7 +43,7 @@ Detects when a Google Workspace password policy is modified. An adversary may at ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc index a65e2fab4c..fbc9fd70e6 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc @@ -43,7 +43,7 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc index 5ce1262635..9813e3ddf0 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc @@ -45,7 +45,7 @@ Detects when a Google marketplace application is added to the Google Workspace d ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc index 4bc2e036d4..027bdc0a5c 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc @@ -45,7 +45,7 @@ Detects when a domain is added to the list of trusted Google Workspace domains. ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc index dae91a22fb..7c2385d36e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -45,7 +45,7 @@ Detects when an admin role is assigned to a Google Workspace user. An adversary ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc index 9009ffe597..26d2f1a43e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role is deleted. An adversary may delete a custom ad ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc index 52e4532439..ae43d5c0f5 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -45,7 +45,7 @@ Detects when a domain-wide delegation of authority is granted to a service accou ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc index 7431439452..fad40e72f5 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role is created in Google Workspace. An adversary ma ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc index f14ea0f2b8..0490ff1bda 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc @@ -45,7 +45,7 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc index 5ccdcb0f3b..ab2455a0b7 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc @@ -43,7 +43,7 @@ Detects when a Google Workspace password policy is modified. An adversary may at ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc index 55a1adce01..d175dd11b7 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role or its permissions are modified. An adversary m ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc index 963fdc91d8..02b960b2c1 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc @@ -43,7 +43,7 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc index f825d02ec3..7f1ba87ae1 100644 --- a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc @@ -49,7 +49,14 @@ Applications can be added to a Google Workspace domain by system administrators. ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc index 598a1d4377..a109a6b620 100644 --- a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc @@ -49,7 +49,14 @@ Trusted domains may be added by system administrators. Verify that the configura ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc index ca967712f1..dfb1746a9c 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -49,7 +49,14 @@ Google Workspace admin role assignments may be modified by system administrators ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc index 6f3a809c75..435a5ac805 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc @@ -49,7 +49,14 @@ Google Workspace admin roles may be deleted by system administrators. Verify tha ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc index 9ba159ba1d..e9b0eae97c 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -49,7 +49,14 @@ Domain-wide delegation of authority may be granted to service accounts by system ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc index 9d4b535d9a..40c3ad4066 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc @@ -49,7 +49,14 @@ Custom Google Workspace admin roles may be created by system administrators. Ver ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc index a978018b58..9c6df9ecdb 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc @@ -49,7 +49,14 @@ MFA policies may be modified by system administrators. Verify that the configura ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc index c312173f62..39f98bd612 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc @@ -45,7 +45,14 @@ Password policies may be modified by system administrators. Verify that the conf ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -56,7 +63,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc index d02374f3ac..dbebc50409 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc @@ -49,7 +49,14 @@ Google Workspace admin roles may be modified by system administrators. Verify th ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -60,7 +67,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc index 208dee1366..afc3d497fd 100644 --- a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc @@ -45,7 +45,14 @@ MFA settings may be modified by system administrators. Verify that the configura ==== Investigation guide +<<<<<<< HEAD *Config* +======= + +[source, markdown, subs="attributes"] +---------------------------------- +## Config +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. @@ -56,7 +63,13 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 +<<<<<<< HEAD - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html +======= + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html +---------------------------------- + +>>>>>>> 325d401 ([DOCS] Fix links to filebeat Google Workspace module (#1441)) ==== Rule query