GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
description: |
'Detects possible maldoc file name in Google drive.'
triggerOperator: gt
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
queryFrequency: 1h
triggerThreshold: 0
tactics:
- InitialAccess
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
status: Available
kind: Scheduled
relevantTechniques:
- T1566
version: 1.0.1
id: d80d02a8-5da6-11ec-bf63-0242ac130002
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
name: GWorkspace - Possible maldoc file name in Google drive
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d80d02a8-5da6-11ec-bf63-0242ac130002')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "GWorkspace - Possible maldoc file name in Google drive",
"description": "'Detects possible maldoc file name in Google drive.'\n",
"severity": "Medium",
"enabled": true,
"query": "GWorkspaceActivityReports\n| where isnotempty(DocTitle)\n| where DocTitle contains \"invoice\" or DocTitle contains \"payment\" or DocTitle contains \"order\" or DocTitle contains \"fax\" or DocTitle contains \"scan\" or DocTitle contains \"transfer\" or DocTitle contains \"report\" or DocTitle contains \"bill\"\n| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"alertRuleTemplateName": "d80d02a8-5da6-11ec-bf63-0242ac130002",
"customDetails": null,
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
}
],
"status": "Available",
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml"
}
}
]
}