[Rule Tuning] Forwarded Google Workspace Security Alert

[imays11]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/905

Summary - What I changed

• reduced execution interval
  we have a pending Integrations request to reduce the default lag ingest time from 2 hours to 3-5 minutes since the data is available near real time. Until that request is made we will keep the large look back window as is.

• removed filebeat index as it does not seem to be a supported data stream

• specified .alert-* index

Otherwise the rule is triggering as expected, including the severity_override fields. The high volume in telemetry should be adjusted via customer exclusions as this rule is simply meant to surface existing alerts within customer GWS enviroment. Suggestions are included for exclusions.

Alerts in alert Center

Alerts in Kibana

How To Test

I manually tested this rule by creating, suspending, and deleting a new user.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[imays11]

After further testing of different rule types, it seems rule.name is not as consistently populated as google_workspace.alert.type. The screenshot below shows the event.original for different alerts and you can see 2 of them are not populating the necessary fields for rule.name, unsure of why but google_workspace.alert.type is populating for those rules so I'm going to revert back to using this field.

I've also removed filebeat index as I don't see this datastream supported via filebeat and specified the .alert-* index

cc @bryans3c and @w0rk3r if you'd like to re-review