GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
severity: Medium
queryPeriod: 1h
name: GWorkspace - Possible maldoc file name in Google drive
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
version: 1.0.1
relevantTechniques:
- T1566
status: Available
id: d80d02a8-5da6-11ec-bf63-0242ac130002
queryFrequency: 1h
triggerThreshold: 0
triggerOperator: gt
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
description: |
'Detects possible maldoc file name in Google drive.'
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
dataTypes:
- GWorkspaceActivityReports
tactics:
- InitialAccess
kind: Scheduled
