GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
relevantTechniques:
- T1566
queryPeriod: 1h
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Name
columnName: FileCustomEntity
entityType: File
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
name: GWorkspace - Possible maldoc file name in Google drive
status: Available
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
queryFrequency: 1h
id: d80d02a8-5da6-11ec-bf63-0242ac130002
severity: Medium
description: |
'Detects possible maldoc file name in Google drive.'
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"properties": {
"alertRuleTemplateName": "d80d02a8-5da6-11ec-bf63-0242ac130002",
"customDetails": null,
"description": "'Detects possible maldoc file name in Google drive.'\n",
"displayName": "GWorkspace - Possible maldoc file name in Google drive",
"enabled": true,
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml",
"query": "GWorkspaceActivityReports\n| where isnotempty(DocTitle)\n| where DocTitle contains \"invoice\" or DocTitle contains \"payment\" or DocTitle contains \"order\" or DocTitle contains \"fax\" or DocTitle contains \"scan\" or DocTitle contains \"transfer\" or DocTitle contains \"report\" or DocTitle contains \"bill\"\n| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}