Techniques
Sample rules
Gsuite Drive Share In External Email
- source: splunk
- technicques:
- T1567.002
- T1567
Description
The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.
Detection logic
`gsuite_drive` NOT (email IN("", "null"))
| rex field=parameters.owner "[^@]+@(?<src_domain>[^@]+)"
| rex field=email "[^@]+@(?<dest_domain>[^@]+)"
| where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity
| rename parameters.owner as user ip_address as src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_drive_share_in_external_email_filter`