elastic · imays11 · May 22, 2026
diff --git a/...ations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/...ations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/02/16"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/22"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 interval = "10m"
 language = "eql"
 license = "Elastic License v2"
@@ -33,7 +33,7 @@ Threat actors may use phishing techniques and container-bound scripts to add ext
 
 This rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.
 
-#### Possible investigation steps
+### Possible investigation steps
 - Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert
   - The `user.target.email` field contains the user added to the groups
   - The `group.name` field contains the group the target user was added to
@@ -81,7 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 references = [
     "https://support.google.com/a/answer/33329",
     "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
-    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
 ]
 risk_score = 47
 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc"
@@ -91,44 +91,58 @@ tags = [
     "Data Source: Google Workspace",
     "Use Case: Identity and Access Audit",
     "Tactic: Initial Access",
+    "Tactic: Persistence",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-iam where data_stream.dataset == "google_workspace.admin" and event.action == "ADD_GROUP_MEMBER" and
-  not endsWith(user.target.email, user.target.group.domain)
+iam where data_stream.dataset == "google_workspace.admin" and google_workspace.event.type: "GROUP_SETTINGS" and event.action == "ADD_GROUP_MEMBER" and
+  not endsWith(user.target.domain, user.target.group.domain)
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1078.004"
 name = "Cloud Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/004/"
 
+
+
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
 
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user.email",
+    "source.ip",
+    "google_workspace.actor.type",
+    "user.target.email",
+    "google_workspace.admin.group.email",
+    "event.action",
+    "cloud.account.id",
+]
+
diff --git a/...integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/...integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/17"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/22"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
     """,
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
@@ -72,7 +72,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 references = [
     "https://support.google.com/a/answer/1110339",
     "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
-    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
 ]
 risk_score = 21
 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc"
@@ -82,53 +82,66 @@ tags = [
     "Data Source: Google Workspace",
     "Use Case: Identity and Access Audit",
     "Tactic: Initial Access",
+    "Tactic: Persistence",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER
+data_stream.dataset: google_workspace.admin and google_workspace.event.type: "USER_SETTINGS" and event.action: "UNSUSPEND_USER"
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1078.004"
 name = "Cloud Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/004/"
 
+
+
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1078.004"
 name = "Cloud Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/004/"
 
+
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
 
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user.email",
+    "source.ip",
+    "google_workspace.actor.type",
+    "user.target.email",
+    "event.action",
+    "cloud.account.id",
+]
+
diff --git a/...tions/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/...tions/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/09/06"
 integration = ["google_workspace"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/22"
 
 [rule]
 author = ["Elastic"]
@@ -14,12 +14,12 @@ applications and resources inaccessible prior to.
 """
 false_positives = [
     """
-    Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of
-    internal role adjustments.
+    Google Workspace administrators may change which organizational unit a user belongs to as a result of internal role
+    adjustments.
     """,
 ]
 from = "now-130m"
-index = ["filebeat-*", "logs-google_workspace*"]
+index = ["filebeat-*", "logs-google_workspace.admin-*"]
 interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
@@ -34,7 +34,7 @@ Permissions and privileges for users are often inherited from the organizational
 
 This rule identifies when a user has been moved to a different organizational unit.
 
-#### Possible investigation steps
+### Possible investigation steps
 
 - Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.
   - The `user.target.email` field contains the user that had their assigned organizational unit switched.
@@ -83,7 +83,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
 references = [
     "https://support.google.com/a/answer/6328701?hl=en#",
     "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
-    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
+    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
 ]
 risk_score = 21
 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce"
@@ -93,49 +93,63 @@ tags = [
     "Data Source: Google Workspace",
     "Use Case: Configuration Audit",
     "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-data_stream.dataset:"google_workspace.admin" and event.type:change and event.category:iam
-    and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT"
+data_stream.dataset:"google_workspace.admin" and google_workspace.event.type:"USER_SETTINGS" and event.action:"MOVE_USER_TO_ORG_UNIT"
 '''
 
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1098"
 name = "Account Manipulation"
 reference = "https://attack.mitre.org/techniques/T1098/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1098.003"
 name = "Additional Cloud Roles"
 reference = "https://attack.mitre.org/techniques/T1098/003/"
 
+
+
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user.email",
+    "source.ip",
+    "google_workspace.actor.type",
+    "user.target.email",
+    "google_workspace.admin.org_unit.name",
+    "google_workspace.admin.new_value",
+    "event.action",
+    "cloud.account.id",
+]
+