GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
status: Available
queryFrequency: 1h
id: d80d02a8-5da6-11ec-bf63-0242ac130002
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
dataTypes:
- GWorkspaceActivityReports
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
version: 1.0.1
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
description: |
'Detects possible maldoc file name in Google drive.'
relevantTechniques:
- T1566
triggerThreshold: 0
queryPeriod: 1h
triggerOperator: gt
name: GWorkspace - Possible maldoc file name in Google drive
severity: Medium
kind: Scheduled
