GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- GWorkspaceActivityReports
connectorId: GoogleWorkspaceReportsAPI
id: d80d02a8-5da6-11ec-bf63-0242ac130002
severity: Medium
status: Available
query: |
GWorkspaceActivityReports
| where isnotempty(DocTitle)
| where DocTitle contains "invoice" or DocTitle contains "payment" or DocTitle contains "order" or DocTitle contains "fax" or DocTitle contains "scan" or DocTitle contains "transfer" or DocTitle contains "report" or DocTitle contains "bill"
| extend FileCustomEntity = DocTitle, AccountCustomEntity = ActorEmail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleMaldocFileNamesInGDRIVE.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: GWorkspace - Possible maldoc file name in Google drive
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1566
description: |
'Detects possible maldoc file name in Google drive.'
triggerOperator: gt
