Overview
Google Workspace (formerly known as Google Apps and later G Suite) is a collection of cloud computing, productivity, and collaboration tools, software, and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet and Chat for communication. Devo provides a list of out-of-the-box detections that enable our customers to protect themselves against popular attacks against these environments.
| Expand |
|---|
| title | Government Attack Warning |
|---|
| A government-backed attacker could try to steal a password or other personal information | SecOpsGSuiteDriveExternallyShared |
|---|
|
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Source table → cloud.gsuite.reports.drive |
| Expand |
|---|
| title | SecOpsGSuiteLoginAccountWarning |
|---|
|
An attacker could steal the credentials of one of your users by sending an email containing a harmful attachment, links to malicious software, or to fake websites. Source table → cloud.gsuite.alertsreports.login |
| Expand |
|---|
| title | Drive Open To PublicSecOpsGSuiteMobileSuspiciousActivity |
|---|
|
An attacker may access data objects from improperly secured cloud storagecould steal the credentials or the mobile device of one of your users. Source table → cloud.gsuite.auditreports.drivemobile |
| Expand |
|---|
| title | Access Transparency Event |
|---|
| A Google Access Transparency log event has been generated. Google is accessing your data| SecOpsGSuiteDriveOpenToPublic |
|
An attacker may access data objects from improperly secured cloud storage. Source table → cloud.gsuite.reportsaudit.access_transparencydrive |
| Expand |
|---|
| title | 2SV DisabledSecOpsGSuite2SVDisabled |
|---|
|
An adversary may attempt to disable the second - factor authentication in order to weaken an organization’s security controls. Source table → cloud.gsuite.reports.admin |
| Expand |
|---|
| title | Login Account WarningSecOpsGSuiteExcessiveOAuthPermissionsRequest |
|---|
|
An attacker could steal the credentials of one of your usersadversary may steal application access tokens as a means of acquiring credentials to access remote systems and resources. Source table → cloud.gsuite.reports.logintoken |
| Expand |
|---|
| title | Mobile Suspicious Activity |
|---|
| An attacker could steal the credentials or the mobile device of one of your users| SecOpsCDIocIpSuspiciousGSuiteData |
|
This search looks for Collective Defense matches in GSuite data. Source table → cloud.gsuite.reports.mobile |
| Expand |
|---|
| title | Excessive OAuth Permissions Request |
|---|
| An adversary may steal application access tokens as a means of acquiring credentials to access remote systems and resources| SecOpsGSuiteUnauthorizedOAuthApp |
|
Detects authentications from OAuth apps outside of your predefined list of approved OAuth applications. Source table → cloud.gsuite.reports.token |
| Expand |
|---|
| title | Unauthorized OAuth App |
|---|
| Detects authentications from OAuth apps outside of your predefined list of approved OAuth applications| SecOpsGSuiteGovernmentAttackWarning |
|
A government-backed attacker could try to steal a password or other personal information of one of your users by sending an email containing a harmful attachment, links to malicious software or to fake websites. Source table → cloud.gsuite.reports.tokenalerts |
| Expand |
|---|
| title | Drive Externally Shared |
|---|
| Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel| SecOpsGSuiteAcessTransparencyEvent |
|
A Google Access Transparency log event has been generated. Google is accessing your data. Source table → cloud.gsuite.reports.driveaccess_transparency |
| Expand |
|---|
| title | SecOpsGSuiteDriveSuspiciousSharedFileName |
|---|
|
Adversaries may send Spear Phishing emails with a malicious attachment or share malicious files by cloud storage services in an attempt to gain access to victim systems. Source table → cloud.gsuite.reports.drive |
