Large volume of files potentially containing credentials accessed in Google Drive

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-05-18

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires: Google Workspace Audit Logs
Detection Modules	Identity Threat Module
Detector Tags	Google Workspace
ATT&CK Tactic	Collection (TA0009) Credential Access (TA0006)
ATT&CK Technique	Data from Cloud Storage (T1530) Unsecured Credentials (T1552)
Severity	Informational

A user accessed a large volume of files potentially containing credentials in Google Drive.

An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.

Check for signs of account compromise, such as abnormal login activity or unusual behavior.
Verify if the user account that accessed the files is authorized to access them.
Review the files accessed and whether it was part of a breach or a legitimate activity.
Monitor the account for any further suspicious actions.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

A user accessed a large volume of files potentially containing credentials in Google Drive.

An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.

Check for signs of account compromise, such as abnormal login activity or unusual behavior.
Verify if the user account that accessed the files is authorized to access them.
Review the files accessed and whether it was part of a breach or a legitimate activity.
Monitor the account for any further suspicious actions.