diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc index 45b97751d8..e4fda1843f 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-mfa-enforcement-disabled.asciidoc @@ -45,7 +45,7 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc index b3a22ce201..43412eb473 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-google-workspace-password-policy-modified.asciidoc @@ -43,7 +43,7 @@ Detects when a Google Workspace password policy is modified. An adversary may at ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc index a65e2fab4c..fbc9fd70e6 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-13-3/prebuilt-rule-0-13-3-mfa-disabled-for-google-workspace-organization.asciidoc @@ -43,7 +43,7 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information. - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc index 5ce1262635..9813e3ddf0 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-application-added-to-google-workspace-domain.asciidoc @@ -45,7 +45,7 @@ Detects when a Google marketplace application is added to the Google Workspace d ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc index 4bc2e036d4..027bdc0a5c 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-domain-added-to-google-workspace-trusted-domains.asciidoc @@ -45,7 +45,7 @@ Detects when a domain is added to the list of trusted Google Workspace domains. ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc index dae91a22fb..7c2385d36e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -45,7 +45,7 @@ Detects when an admin role is assigned to a Google Workspace user. An adversary ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc index 9009ffe597..26d2f1a43e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-admin-role-deletion.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role is deleted. An adversary may delete a custom ad ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc index 52e4532439..ae43d5c0f5 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -45,7 +45,7 @@ Detects when a domain-wide delegation of authority is granted to a service accou ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc index 7431439452..fad40e72f5 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-custom-admin-role-created.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role is created in Google Workspace. An adversary ma ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc index f14ea0f2b8..0490ff1bda 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-mfa-enforcement-disabled.asciidoc @@ -45,7 +45,7 @@ Detects when multi-factor authentication (MFA) enforcement is disabled for Googl ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc index 5ccdcb0f3b..ab2455a0b7 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-password-policy-modified.asciidoc @@ -43,7 +43,7 @@ Detects when a Google Workspace password policy is modified. An adversary may at ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc index 55a1adce01..d175dd11b7 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-google-workspace-role-modified.asciidoc @@ -45,7 +45,7 @@ Detects when a custom admin role or its permissions are modified. An adversary m ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -58,7 +58,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc index 963fdc91d8..02b960b2c1 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-1/prebuilt-rule-0-14-1-mfa-disabled-for-google-workspace-organization.asciidoc @@ -43,7 +43,7 @@ Detects when multi-factor authentication (MFA) is disabled for a Google Workspac ==== Investigation guide -[source, markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -56,7 +56,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc index 7fa0cf37d8..dbffa09756 100644 --- a/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/application-added-to-google-workspace-domain.asciidoc @@ -50,7 +50,7 @@ Applications can be added to a Google Workspace domain by system administrators. ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc index 79c8841d8c..4c919b3e32 100644 --- a/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/domain-added-to-google-workspace-trusted-domains.asciidoc @@ -50,7 +50,7 @@ Trusted domains may be added by system administrators. Verify that the configura ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc index ccf4620318..4bedaea784 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc @@ -50,7 +50,7 @@ Google Workspace admin role assignments may be modified by system administrators ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc index 3fd4e95c7f..d91226bf6b 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-admin-role-deletion.asciidoc @@ -50,7 +50,7 @@ Google Workspace admin roles may be deleted by system administrators. Verify tha ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc index f8c7386a01..4db9c204d3 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc @@ -50,7 +50,7 @@ Domain-wide delegation of authority may be granted to service accounts by system ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc index 54a59071fe..08a925a161 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-custom-admin-role-created.asciidoc @@ -50,7 +50,7 @@ Custom Google Workspace admin roles may be created by system administrators. Ver ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc index 7a57935ba7..17a28ceb87 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-mfa-enforcement-disabled.asciidoc @@ -50,7 +50,7 @@ MFA policies may be modified by system administrators. Verify that the configura ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc index 352ef72467..3373ebe9d7 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-password-policy-modified.asciidoc @@ -46,7 +46,7 @@ Password policies may be modified by system administrators. Verify that the conf ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -59,7 +59,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc index b96b34ce1a..ae61515a30 100644 --- a/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-role-modified.asciidoc @@ -50,7 +50,7 @@ Google Workspace admin roles may be modified by system administrators. Verify th ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -63,7 +63,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc index 05ffd02fbe..cc2d2bc1bb 100644 --- a/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/mfa-disabled-for-google-workspace-organization.asciidoc @@ -46,7 +46,7 @@ MFA settings may be modified by system administrators. Verify that the configura ==== Investigation guide -[source,markdown] +[source, markdown, subs="attributes"] ---------------------------------- ## Config @@ -59,7 +59,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). - See the following references for further information: - https://support.google.com/a/answer/7061566 - - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html + - https://www.elastic.co/guide/en/beats/filebeat/{branch}/filebeat-module-google_workspace.html ----------------------------------