[Rule Tunings] GWS Rules w/ zero alerts

rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml

@@ -2,51 +2,56 @@
 creation_date = "2022/09/13"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/27"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route
-for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to
-capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default,
-all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and
-outbound mail.
+Detects when a Gmail routing, mail-forwarding, or custom mail-host setting is created or modified in Google Workspace.
+Adversaries with administrative access can add Routing rules (also deliver to / change envelope recipient), recipient
+address map forwarding, or mail hosts and outbound gateways to copy or redirect sensitive email for collection.
 """
 false_positives = [
     """
-    Administrators may create custom email routes in Google Workspace based on organizational policies, administrative
-    preference or for security purposes regarding spam.
+    Administrators may create or change Gmail routing, dual-delivery, address maps, or mail hosts for migrations,
+    journaling, spam handling, or partner integrations.
     """,
 ]
-from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+from = "now-20m"
+index = ["logs-google_workspace.admin-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "Google Workspace Custom Gmail Route Created or Modified"
+name = "Google Workspace Gmail Routing or Forwarding Rule Created or Modified"
 note = """## Triage and analysis
 
-### Investigating Google Workspace Custom Gmail Route Created or Modified
+### Investigating Google Workspace Gmail Routing or Forwarding Rule Created or Modified
 
-Gmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.
+Gmail administrators can change where mail is delivered using several Admin console areas under Apps > Google Workspace > Gmail:
 
-Threat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.
+- Routing — specialized rules (modify message, change route, also deliver to, change envelope recipient). Audit: `UNIFIED_MAIL_ROUTING` or `MESSAGE_SECURITY_RULE` (legacy); `google_workspace.admin.setting.metadata.rule.type` may repeat the legacy type on `RuleState` rows.
+- Email forwarding using recipient address map — rewrite or forward by address mapping. Audit: `ALIAS_TABLE`.
+- Hosts / Outbound gateway — custom SMTP routes. Audit: `EMAIL_ROUTE`.
 
-This rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.
+Google may emit multiple admin audit events per single save (legacy `CREATE_GMAIL_SETTING`, new `CREATE_APPLICATION_SETTING`, rule body, and rule enabled state). Expect duplicate documents at the same `@timestamp`; correlate on `user.name`, `google_workspace.admin.USER_DEFINED_SETTING_NAME` (rule id), and `event.id`.
 
-#### Possible investigation steps
+### Possible investigation steps
 
-- Identify the user account that created the custom email route and verify that they should have administrative privileges.
-- Review the added recipients from the custom email route and confidentiality of potential email contents.
-- Identify the user account, then review `event.action` values for related activity within the last 48 hours.
-- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.
-- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.
-- Identified URLs or attachments can be submitted to VirusTotal for reputational services.
+- Identify the administrator (`user.name`, `user.email`) and confirm the change was authorized.
+- In Admin console, review the rule matching `google_workspace.admin.USER_DEFINED_SETTING_NAME`:
+  - Routing (`UNIFIED_MAIL_ROUTING`, `MESSAGE_SECURITY_RULE`): Apps > Gmail > Routing
+  - Recipient address map (`ALIAS_TABLE`): Apps > Gmail > Default routing > Email forwarding using recipient address map
+  - Mail hosts / outbound gateway (`EMAIL_ROUTE`): Apps > Gmail > Hosts
+- Map the alert to the admin area using `google_workspace.admin.setting.name` and `google_workspace.admin.setting.metadata.rule.type`
+- Review whether the rule adds also deliver to, change envelope recipient, or routes to an external mail host or domain.
+- Review related `event.action` values for the same administrator in the last 48 hours.
+- If licensed for Gmail log events (BigQuery / Enterprise Plus), use Reporting > Audit and investigation > Gmail log events to confirm messages were delivered per the rule (`message_info.flattened_destinations`, `triggered_rule_info`).
+- Submit suspicious URLs or attachments from affected mail to reputational services as needed.
 
 ### False positive analysis
 
-- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.
+- Legitimate mail migrations, journaling, compliance archiving, and internal dual-delivery are common.
+- Tune with exceptions for known administrator accounts, rule ids (`USER_DEFINED_SETTING_NAME`), or approved external domains.
 
 ### Response and remediation
 
@@ -66,16 +71,14 @@ This rule identifies the creation of a custom global Gmail route by an administr
 
 ## Setup
 
-The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Google Workspace Fleet integration with the Admin data stream (`logs-google_workspace.admin-*`) is required for this rule.
 
 ### Important Information Regarding Google Workspace Event Lag Times
 - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
-- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
-- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
-- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
+- This rule uses `timestamp_override = event.ingested` and is configured to run every 10 minutes with a lookback of 20 minutes, aligned with the integration's default Admin poll interval (`interval`: 15m) and lag time (`lag_time`: 3m).
 - See the following references for further information:
   - https://support.google.com/a/answer/7061566
-  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
+  - https://www.elastic.co/docs/reference/integrations/google_workspace"""
 references = [
     "https://support.google.com/a/answer/2685650?hl=en",
     "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
@@ -94,9 +97,35 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING")
-  and google_workspace.event.type:"EMAIL_SETTINGS" and google_workspace.admin.setting.name:("EMAIL_ROUTE" or "MESSAGE_SECURITY_RULE")
+data_stream.dataset:"google_workspace.admin" and event.action:(
+  "CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING"
+  or "CREATE_APPLICATION_SETTING" or "CHANGE_APPLICATION_SETTING"
+)
+and (
+  google_workspace.admin.setting.name:(
+    "UNIFIED_MAIL_ROUTING"
+    or "ALIAS_TABLE"
+    or "EMAIL_ROUTE"
+    or "MESSAGE_SECURITY_RULE"
+  )
+  or google_workspace.admin.setting.metadata.rule.type:(
+    "UNIFIED_MAIL_ROUTING"
+    or "ALIAS_TABLE"
+    or "EMAIL_ROUTE"
+  )
+)
 '''
+[rule.investigation_fields]
+field_names = [
+    "source.ip",
+    "user.name",
+    "user.email",
+    "event.action",
+    "google_workspace.admin.org_unit.name",
+    "google_workspace.admin.setting.name",
+    "google_workspace.admin.setting.metadata.rule.type",
+    "google_workspace.admin.USER_DEFINED_SETTING_NAME",
+]
 
 
 [[rule.threat]]
@@ -116,4 +145,3 @@ reference = "https://attack.mitre.org/techniques/T1114/003/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
-

rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/25"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/28"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
@@ -36,14 +36,15 @@ Google clearly states that they are not responsible for any Marketplace product
 
 This rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.
 
-#### Possible investigation steps
+### Possible investigation steps
 
 - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- Review `google_workspace.admin.old_value` and `google_workspace.admin.new_value` to confirm the app moved from blocked to allowed and note the affected organizational unit (`google_workspace.admin.org_unit.name`).
 - This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.
 - With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.
 - After identifying the involved user account, review other potentially related events within the last 48 hours.
 - Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.
-- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.
+- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace apps > Apps list`.
 
 ### False positive analysis
 
@@ -98,12 +99,24 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change"  and
+data_stream.dataset:"google_workspace.admin" and
   event.action:"CHANGE_APPLICATION_SETTING" and
   google_workspace.admin.application.name:"Google Workspace Marketplace" and
   google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "source.ip",
+    "user.name",
+    "user.email",
+    "event.action",
+    "google_workspace.admin.org_unit.name",
+    "google_workspace.admin.setting.name",
+    "google_workspace.admin.old_value",
+    "google_workspace.admin.new_value",
+]
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/09/06"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/27"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
@@ -34,12 +34,13 @@ Disabling Bitlocker on an endpoint decrypts data at rest and makes it accessible
 
 This rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.
 
-#### Possible investigation steps
+### Possible investigation steps
 
 - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- Review `google_workspace.admin.org_unit.name`, `google_workspace.admin.setting.name`, and `google_workspace.admin.old_value` / `new_value` to confirm BitLocker was disabled and for which OU.
 - After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.
-- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.
-    - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.
+- Review Admin and Device logs, filtering on the user email identified from the alert.
+- Confirm the policy change under `Devices` (Windows device management) or the relevant Chrome/Windows endpoint settings area for the affected OU.
 
 ### False positive analysis
 
@@ -93,10 +94,21 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
+data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING"
     and google_workspace.admin.new_value:"Disabled" and google_workspace.admin.setting.name:BitLocker*
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "source.ip",
+    "user.name",
+    "user.email",
+    "event.action",
+    "google_workspace.admin.org_unit.name",
+    "google_workspace.admin.setting.name",
+    "google_workspace.admin.old_value",
+    "google_workspace.admin.new_value",
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/25"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Google Workspace Restrictions for Marketplace Modified to Allow Any App"
@@ -37,9 +37,11 @@ Google clearly states that they are not responsible for any product on the Marke
 
 This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.
 
-#### Possible investigation steps
+### Possible investigation steps
 
 - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
+- Confirm `google_workspace.admin.new_value` is `ALLOW_ALL` and review `google_workspace.admin.old_value` for the prior restriction.
+- In the admin console, verify the change under `Apps > Google Workspace Marketplace apps` (global allowlist access setting).
 - This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.
 - Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.
     - The `google_workspace.admin.application.name` field will help identify what applications were added.
@@ -50,9 +52,8 @@ This rule identifies when the global allow-all setting is enabled for Google Wor
 ### False positive analysis
 
 - Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.
-- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.
-    - Follow up with the user who added the application to ensure this was intended.
-- Verify the application identified has been assessed thoroughly by an administrator.
+- Google Workspace administrators may intentionally enable allow-all marketplace access based on organizational needs.
+    - Follow up with the administrator who made the change to ensure this was intended.
 
 ### Response and remediation
 
@@ -100,11 +101,22 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration)
+data_stream.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING"
     and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace"
         and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access"  and google_workspace.admin.new_value:"ALLOW_ALL"
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "source.ip",
+    "user.name",
+    "user.email",
+    "event.action",
+    "google_workspace.admin.org_unit.name",
+    "google_workspace.admin.setting.name",
+    "google_workspace.admin.old_value",
+    "google_workspace.admin.new_value",
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"