Open brokensound77 opened 6 days ago
https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml#L87
False Negatives - Enhancing detection of true threats that were previously missed.
Tune event.action to include GROUP_MEMBER_BULK_UPLOAD in addition to the existing ADD_GROUP_MEMBER
event.action
GROUP_MEMBER_BULK_UPLOAD
ADD_GROUP_MEMBER
No response
Link to Rule
https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml#L87
Rule Tuning Type
False Negatives - Enhancing detection of true threats that were previously missed.
Description
Tune
event.actionto includeGROUP_MEMBER_BULK_UPLOADin addition to the existingADD_GROUP_MEMBERExample Data
No response