Gsuite Drive Share In External Email

name: Gsuite Drive Share In External Email
id: f6ee02d6-fea0-11eb-b2c2-acde48001122
version: 10
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: experimental
type: Anomaly
description: The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.
data_source:
    - G Suite Drive
search: |
    `gsuite_drive` NOT (email IN("", "null"))
    | spath path=parameters.owner output=owner
    | rex field=owner "[^@]+@(?<src_domain>[^@]+)"
    | rex field=email "[^@]+@(?<dest_domain>[^@]+)"
    | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
    | eval phase="plan"
    | eval severity="low"
    | stats values(parameters.doc_title) as doc_title,
      values(parameters.doc_type) as doc_types,
      values(email) as dst_email_list,
      values(parameters.visibility) as visibility,
      values(parameters.doc_id) as doc_id,
      count min(_time) as firstTime max(_time) as lastTime
      by parameters.owner ip_address phase severity
    | rename parameters.owner as user ip_address as src_ip
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `gsuite_drive_share_in_external_email_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.
known_false_positives: network admin or normal user may share files to customer and external team.
references:
    - https://www.redhat.com/en/topics/devops/what-is-devsecops
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Suspicious share gdrive from $user$ to $dst_email_list$ namely as $doc_title$
    risk_objects:
        - field: dst_email_list
          type: user
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Scattered Lapsus$ Hunters
        - Dev Sec Ops
        - Insider Threat
    asset_type: GSuite
    mitre_attack_id:
        - T1567.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log
          source: http:gsuite
          sourcetype: gws:reports:drive