GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
name: GWorkspace - Possible maldoc file name in Google drive
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
status: Available
queryFrequency: 1h
id: d80d02a8-5da6-11ec-bf63-0242ac130002
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
dataTypes:
- GWorkspaceActivityReports
relevantTechniques:
- T1566
description: |
'Detects possible maldoc file name in Google drive.'
entityMappings:
- entityType: File
fieldMappings:
- columnName: FileCustomEntity
identifier: Name
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
queryPeriod: 1h
severity: Medium
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
