Google Workspace Drive Encryption Key(s) Accessed from Anonymous User

About

Tags

Domain: CloudData Source: Google WorkspaceUse Case: Configuration AuditTactic: Credential AccessTactic: CollectionLanguage: eql

Severity

high

Risk Score

73

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Unsecured Credentials (T1552)(external, opens in a new tab or window)

Collection (TA0009)(external, opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(external, opens in a new tab or window)

False Positive Examples

A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

filebeat-*logs-google_workspace.drive-*

Related Integrations

google_workspace(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗file where data_stream.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and
    google_workspace.drive.visibility: "people_with_link" and source.user.email == "" and
    file.extension: (
        "token","assig", "pssc", "keystore", "pub", "pgp.asc", "ps1xml", "pem", "gpg.sig", "der", "key",
        "p7r", "p12", "asc", "jks", "p7b", "signature", "gpg", "pgp.sig", "sst", "pgp", "gpgz", "pfx", "crt",
        "p8", "sig", "pkcs7", "jceks", "pkcs8", "psc1", "p7c", "csr", "cer", "spc", "ps2xml")