GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
relevantTechniques:
- T1566
name: GWorkspace - Possible maldoc file name in Google drive
queryFrequency: 1h
version: 1.0.1
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
dataTypes:
- GWorkspaceActivityReports
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
queryPeriod: 1h
triggerOperator: gt
id: d80d02a8-5da6-11ec-bf63-0242ac130002
status: Available
description: |
'Detects possible maldoc file name in Google drive.'
