External Sharing was turned on for Google Drive

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • Google Workspace Audit Logs

Detection Modules

Identity Threat Module

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

An identity has modified Google Drive sharing settings and allowed external sharing.

Attacker's Goals

Adversaries may exfiltrate data, such as sensitive documents.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check the new setting details.
  • Follow further actions done by the account.

Variations

External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

An identity has modified Google Drive sharing settings and allowed external sharing.

Attacker's Goals

Adversaries may exfiltrate data, such as sensitive documents.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check the new setting details.
  • Follow further actions done by the account.


External Sharing was turned on for Google Drive by a non Google Workspace administrative user

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

An identity has modified Google Drive sharing settings and allowed external sharing.

Attacker's Goals

Adversaries may exfiltrate data, such as sensitive documents.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check the new setting details.
  • Follow further actions done by the account.


External Sharing was turned on for Google Drive from an unusual ASN

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

An identity has modified Google Drive sharing settings and allowed external sharing.

Attacker's Goals

Adversaries may exfiltrate data, such as sensitive documents.

Investigative actions

  • Check if the identity intended to perform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
  • check the new setting details.
  • Follow further actions done by the account.