administrators may create drive data transfer requests during employee offboarding to preserve files for a manager or successor account.

t1074
t1537
google_workspace
elastic

Techniques

T1074
T1537

Sample rules

Google Workspace Drive Data Transfer or Takeout Export Initiated

source: elastic
technicques:
- T1074
- T1537

Description

Detects when Google Workspace administrators initiate bulk movement or export of user Drive data. This includes admin data transfer requests that reassign a user’s Drive files to another account, and Customer Takeout export jobs that package organizational data for download or off-platform transfer. Adversaries with administrative access may abuse these mechanisms to stage or exfiltrate sensitive files.

Detection logic

data_stream.dataset:"google_workspace.admin" and (
  (event.action:"CREATE_DATA_TRANSFER_REQUEST" and google_workspace.admin.application.name:Drive*) or
  event.action:"CUSTOMER_TAKEOUT_CREATED"
)