elastic
[New Rule] Searches for sensitive files via Google Workspace Cloud Search
Description
The Google Workspace Cloud Search feature allows for more thorough searching. It may be possible to detect attempts to Discover or Exfil based on certain search terms targeting sensitive or lucrative files (or similar patterns).
It looks like it is possible to log search parameters (specifically for cloud search application), as logging for seems to exist. The possible event.action could include search, suggest, or list query sources.
Need to figure out:
- are there any subscription or license prerequisites (if so, annotate in the rule)
- are there any additional required steps to configure from the GW side
- are they any additional required steps to configure from the integration side
Target Ruleset
google_workspace
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
TBD
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}