Techniques
Sample rules
Gsuite Drive Share In External Email
- source: splunk
- technicques:
- T1567.002
- T1567
Description
This search is to detect suspicious google drive or google docs files shared outside or externally. This behavior might be a good hunting query to monitor exfitration of data made by an attacker or insider to a targetted machine.
Detection logic
`gsuite_drive` NOT (email IN("", "null"))
| rex field=parameters.owner "[^@]+@(?<src_domain>[^@]+)"
| rex field=email "[^@]+@(?<dest_domain>[^@]+)"
| where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(parameters.doc_title) as doc_title, values(parameters.doc_type) as doc_types, values(email) as dst_email_list, values(parameters.visibility) as visibility, values(parameters.doc_id) as doc_id, count min(_time) as firstTime max(_time) as lastTime by parameters.owner ip_address phase severity
| rename parameters.owner as user ip_address as src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_drive_share_in_external_email_filter`