GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
triggerThreshold: 0
version: 1.0.1
queryFrequency: 1h
severity: Medium
relevantTechniques:
- T1566
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
description: |
'Detects possible maldoc file name in Google drive.'
triggerOperator: gt
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
tactics:
- InitialAccess
status: Available
queryPeriod: 1h
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: Name
columnName: FileCustomEntity
entityType: File
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
id: d80d02a8-5da6-11ec-bf63-0242ac130002
name: GWorkspace - Possible maldoc file name in Google drive
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
