From a94951e44615e53e2be1a2d7be18b2c158d4e716 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Tue, 19 May 2026 17:41:12 -0400
Subject: [PATCH 1/3] [Rule Tuning] Forwarded Google Workspace Security Alert

- reduced execution interval
** we have a pending Integrations request to reduce the default lag ingest time from 2 hours to 3-5 minutes since the data is available near real time. Until that request is made we will keep the large look back window as is.

- replace `rule_name_override` with the ECS field `rule.name` which is derived from the original rule name field of the Security Rule. While in most cases the field we had `google_workspace.alert.type` was the same value, in some cases it is different showing that `rule.name` is the proper field for this.

Otherwise the rule is triggering as expected, including the severity_override fields
---
 .../google_workspace_alert_center_promotion.toml          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
index e35ab4594d8..a32ad280e0a 100644
--- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
+++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
@@ -3,7 +3,7 @@ creation_date = "2023/01/15"
 integration = ["google_workspace"]
 maturity = "production"
 promotion = true
-updated_date = "2026/04/10"
+updated_date = "2026/05/19"
 
 [rule]
 author = ["Elastic"]
@@ -14,13 +14,13 @@ of a potential security issue that Google has detected.
 """
 false_positives = [
     """
-    To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.
+    To tune this rule, add exceptions to exclude any google_workspace.alert.type or rule.name which should not trigger this rule.
     """,
     "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
 ]
 from = "now-130m"
 index = ["filebeat-*", "logs-google_workspace*"]
-interval = "10m"
+interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Forwarded Google Workspace Security Alert"
@@ -38,7 +38,7 @@ references = [
 ]
 risk_score = 73
 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
-rule_name_override = "google_workspace.alert.type"
+rule_name_override = "rule.name"
 severity = "high"
 tags = [
     "Domain: Cloud",

From 2234297d46767dee9ee39410dbd6663e84001849 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Fri, 22 May 2026 14:17:12 -0400
Subject: [PATCH 2/3] remove filebeat, revert rule_name_override

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
---
 .../google_workspace_alert_center_promotion.toml              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
index a32ad280e0a..7636dcb6787 100644
--- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
+++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
@@ -19,7 +19,7 @@ false_positives = [
     "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["logs-google_workspace*"]
 interval = "5m"
 language = "kuery"
 license = "Elastic License v2"
@@ -38,7 +38,7 @@ references = [
 ]
 risk_score = 73
 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
-rule_name_override = "rule.name"
+rule_name_override = "google_workspace.alert.type"
 severity = "high"
 tags = [
     "Domain: Cloud",

From 6f2784a49b0b277acdeaa78525ba0538c1dbd587 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Fri, 22 May 2026 16:25:09 -0400
Subject: [PATCH 3/3] specified .alert-* index

---
 .../google_workspace_alert_center_promotion.toml                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
index 7636dcb6787..c7115cd3961 100644
--- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
+++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
@@ -19,7 +19,7 @@ false_positives = [
     "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.",
 ]
 from = "now-130m"
-index = ["logs-google_workspace*"]
+index = ["logs-google_workspace.alert-*"]
 interval = "5m"
 language = "kuery"
 license = "Elastic License v2"