[GSuite] Rename module to Google Workspace

[jamiehynds]

Google recently rebranded G Suite to 'Google Workspace' and we need to reflect this change in our Filebeat module and associated docs.

@threat-punter is building detection rules for G Suite, so will need to make sure he's kept in the loop on our rename to Workspace.

We'll also need to ensure the correct logo is used when we create a package: https://lh3.googleusercontent.com/sYGCKFdty43En6yLGeV94mfNGHXfVj-bQYitHRndarB7tHmQq_kyVxhlPejeCBVEEYUbnKG2_jUzgNXoPoer6XJm71V3uz2Z6q0CmNw=w0

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

FYI @marc-gr

[threat-punter]

Thanks for the heads up @jamiehynds. I used the "Google Workspace" term in all of our new rules.

One thing that I'll need to do if we have a Fleet Integration is to add that index pattern to our rules.

[jamiehynds]

@threat-punter I noticed the new rules all reference event.dataset:gsuite.admin - do you have a preference towards keeping the modules dataset as gsuite? We were thinking of updating to workspace to ensure we're inline with the rebrand.

We're probably going to encounter a similar issue with O365 to M365 too: elastic/detection-rules#668

[threat-punter]

Ah, good point @jamiehynds. I'm on board with renaming it to the new name and I can take care of modifying the rules when the time comes

[threat-punter]

Will events indexed by the Google Workspace module still have the event.dataset value of gsuite.admin? I'm not sure if this change will be made by us or Google. If it changes, will need to update our detection rules accordingly.

[marc-gr]

Will events indexed by the Google Workspace module still have the event.dataset value of gsuite.admin? I'm not sure if this change will be made by us or Google. If it changes, will need to update our detection rules accordingly.

We duplicated the module so events that are still using a previously configured Gsuite module will get gsuite.admin as before. If someone configures the new Google Workspace one they will get google_workspace.admin then, since this is set by filebeat based on the module name+fileset iirc. Hope that answers your question 👍

[jamiehynds]

@marc-gr am I correct in saying that the detection rules should be updated so that 'event.dataset: gsuite.admin OR google_workspace.admin'? That would then provide coverage regardless of which module the user is running?

[marc-gr]

@marc-gr am I correct in saying that the detection rules should be updated so that 'event.dataset: gsuite.admin OR google_workspace.admin'? That would then provide coverage regardless of which module the user is running?

That is correct 👍

[threat-punter]

Thanks @jamiehynds and @marc-gr. I'll open a PR to amend our derules.

[threat-punter]

Thanks @jamiehynds and @marc-gr. I'll open a PR to amend our detection rules.

[threat-punter]

I added the above changes to @bm11100's PR here: elastic/detection-rules#729