GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
status: Available
id: d80d02a8-5da6-11ec-bf63-0242ac130002
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
description: |
'Detects possible maldoc file name in Google drive.'
name: GWorkspace - Possible maldoc file name in Google drive
relevantTechniques:
- T1566
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.1
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"properties": {
"alertRuleTemplateName": "d80d02a8-5da6-11ec-bf63-0242ac130002",
"customDetails": null,
"description": "'Detects possible maldoc file name in Google drive.'\n",
"displayName": "GWorkspace - Possible maldoc file name in Google drive",
"enabled": true,
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml",
"query": "GWorkspaceActivityReports\n| where isnotempty(DocTitle)\n| where DocTitle contains \"invoice\" or DocTitle contains \"payment\" or DocTitle contains \"order\" or DocTitle contains \"fax\" or DocTitle contains \"scan\" or DocTitle contains \"transfer\" or DocTitle contains \"report\" or DocTitle contains \"bill\"\n| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}