GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
queryFrequency: 1h
triggerThreshold: 0
name: GWorkspace - Possible maldoc file name in Google drive
relevantTechniques:
- T1566
id: d80d02a8-5da6-11ec-bf63-0242ac130002
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
entityMappings:
- entityType: File
fieldMappings:
- columnName: FileCustomEntity
identifier: Name
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
version: 1.0.1
queryPeriod: 1h
tactics:
- InitialAccess
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
status: Available
kind: Scheduled
description: |
'Detects possible maldoc file name in Google drive.'
