Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GWorkspace - Possible maldoc file name in Google drive

Back
Idd80d02a8-5da6-11ec-bf63-0242ac130002
RulenameGWorkspace - Possible maldoc file name in Google drive
DescriptionDetects possible maldoc file name in Google drive.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsGoogleWorkspaceReportsAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
Version1.0.1
Arm templated80d02a8-5da6-11ec-bf63-0242ac130002.json
Deploy To Azure
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
query: |
  GWorkspaceActivityReports
  | where isnotempty(DocTitle)
  | where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
  | extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail  
description: |
    'Detects possible maldoc file name in Google drive.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - GWorkspaceActivityReports
  connectorId: GoogleWorkspaceReportsAPI
name: GWorkspace - Possible maldoc file name in Google drive
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.1
relevantTechniques:
- T1566
triggerOperator: gt
entityMappings:
- entityType: File
  fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
id: d80d02a8-5da6-11ec-bf63-0242ac130002
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "d80d02a8-5da6-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects possible maldoc file name in Google drive.'\n",
        "displayName": "GWorkspace - Possible maldoc file name in Google drive",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml",
        "query": "GWorkspaceActivityReports\n| where isnotempty(DocTitle)\n| where DocTitle contains \"invoice\" or DocTitle contains \"payment\" or DocTitle contains \"order\" or DocTitle contains \"fax\" or DocTitle contains \"scan\" or DocTitle contains \"transfer\" or DocTitle contains \"report\" or DocTitle contains \"bill\"\n| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}