GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
queryFrequency: 1h
entityMappings:
- entityType: File
fieldMappings:
- columnName: FileCustomEntity
identifier: Name
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
triggerOperator: gt
relevantTechniques:
- T1566
name: GWorkspace - Possible maldoc file name in Google drive
description: |
'Detects possible maldoc file name in Google drive.'
triggerThreshold: 0
kind: Scheduled
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
tactics:
- InitialAccess
version: 1.0.1
queryPeriod: 1h
id: d80d02a8-5da6-11ec-bf63-0242ac130002
status: Available
