detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[New hunt] Sensitive file access by user in Google Workspace

Open brokensound77 opened this issue 1 year ago • 1 comments

Description

Explore all sensitive files accessed by users, based on defined parameters

Target Huntset

google_workspace

Target hunt Type

ES|QL

Query

from logs-google_workspace* 
| where file.name == "*" or file.name is not null and event.action in ("view", "download") and 
  (
    //expand to known patterns
    to_lower(file.name) like "*password*" or
    to_lower(file.name) like "*sensitive*" or
    to_lower(file.name) like "*cred*" or
    to_lower(file.name) like "*private*" or
    to_lower(file.name) like "*secret*"
  )
| stats files=count(*) by file.name, user.email, event.action

Related issues or PRs

#4121

References

No response

Redacted Example Data

No response

brokensound77 avatar Oct 02 '24 16:10 brokensound77

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Dec 01 '24 16:12 botelastic[bot]