Versions Compared

Version Old Version 3 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Google Workspace (formerly known as Google Apps and later G Suite) is a collection of cloud computing, productivity, and collaboration tools, software, and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet and Chat for communication. Devo provides a list of out-of-the-box detections that enable our customers to protect themselves against popular attacks against these environments.

Expand
titleSecOpsGSuiteDriveExternallyShared

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Source table → cloud.gsuite.reports.drive

Expand
titleSecOpsGSuiteLoginAccountWarning

An attacker could steal the credentials of one of your users.

Source table → cloud.gsuite.reports.login

Expand
titleSecOpsGSuiteMobileSuspiciousActivity

An attacker could steal the credentials or the mobile device of one of your users.

Source table → cloud.gsuite.reports.mobile

Expand
titleSecOpsGSuiteDriveOpenToPublic

An attacker may access data objects from improperly secured cloud storage.

Source table → cloud.gsuite.audit.drive

Expand
titleSecOpsGSuite2SVDisabled

An adversary may attempt to disable the second factor authentication in order to weaken an organization’s security controls.

Source table → cloud.gsuite.reports.admin

Expand
titleSecOpsGSuiteExcessiveOAuthPermissionsRequest

An adversary may steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Source table → cloud.gsuite.reports.token

Expand
titleSecOpsCDIocIpSuspiciousGSuiteData

This search looks for Collective Defense matches in GSuite data.

Source table → cloud.gsuite.reports

Expand
titleSecOpsGSuiteUnauthorizedOAuthApp

Detects authentications from OAuth apps outside of your predefined list of approved OAuth applications.

Source table → cloud.gsuite.reports.token

Expand
title

...

SecOpsGSuiteGovernmentAttackWarning

A government-backed attacker could try to steal a password or other personal information of one of your users by sending an email containing a harmful attachment, links to malicious software or to fake websites.

Source table → cloud.gsuite.alerts

Expand
titleSecOpsGSuiteAcessTransparencyEvent

A Google Access Transparency log event has been generated. Google is accessing your data.

Source table → cloud.gsuite.reports.access_transparency

Expand
titleSecOpsGSuiteDriveSuspiciousSharedFileName

Adversaries may send Spear Phishing emails with a malicious attachment or share malicious files by cloud storage services in an attempt to gain access to victim systems.

Source table → cloud.gsuite.reports.drive