Google Workspace

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Source table → cloud.gsuite.reports.drive

An attacker could steal the credentials of one of your users.

Source table → cloud.gsuite.reports.login

An attacker could steal the credentials or the mobile device of one of your users.

Source table → cloud.gsuite.reports.mobile

An attacker may access data objects from improperly secured cloud storage.

Source table → cloud.gsuite.audit.drive

An adversary may attempt to disable the second factor authentication in order to weaken an organization’s security controls.

Source table → cloud.gsuite.reports.admin

An adversary may steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Source table → cloud.gsuite.reports.token

This search looks for Collective Defense matches in GSuite data.

Source table → cloud.gsuite.reports

Detects authentications from OAuth apps outside of your predefined list of approved OAuth applications.

Source table → cloud.gsuite.reports.token

A government-backed attacker could try to steal a password or other personal information of one of your users by sending an email containing a harmful attachment, links to malicious software or to fake websites.

Source table → cloud.gsuite.alerts

A Google Access Transparency log event has been generated. Google is accessing your data.

Source table → cloud.gsuite.reports.access_transparency

Adversaries may send Spear Phishing emails with a malicious attachment or share malicious files by cloud storage services in an attempt to gain access to victim systems.

Source table → cloud.gsuite.reports.drive