EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Gsuite Drive Share In External Email

The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.

Detection Query

`gsuite_drive` NOT (email IN("", "null"))
| spath path=parameters.owner output=owner
| rex field=owner "[^@]+@(?<src_domain>[^@]+)"
| rex field=email "[^@]+@(?<dest_domain>[^@]+)"
| where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(parameters.doc_title) as doc_title,
  values(parameters.doc_type) as doc_types,
  values(email) as dst_email_list,
  values(parameters.visibility) as visibility,
  values(parameters.doc_id) as doc_id,
  count min(_time) as firstTime max(_time) as lastTime
  by parameters.owner ip_address phase severity
| rename parameters.owner as user ip_address as src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_drive_share_in_external_email_filter`

Author

Teoderick Contreras, Splunk

Data Sources

G Suite Drive

References

Raw Content
name: Gsuite Drive Share In External Email
id: f6ee02d6-fea0-11eb-b2c2-acde48001122
version: 12
creation_date: '2021-08-16'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: experimental
type: Anomaly
description: The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.
data_source:
    - G Suite Drive
search: |
    `gsuite_drive` NOT (email IN("", "null"))
    | spath path=parameters.owner output=owner
    | rex field=owner "[^@]+@(?<src_domain>[^@]+)"
    | rex field=email "[^@]+@(?<dest_domain>[^@]+)"
    | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
    | eval phase="plan"
    | eval severity="low"
    | stats values(parameters.doc_title) as doc_title,
      values(parameters.doc_type) as doc_types,
      values(email) as dst_email_list,
      values(parameters.visibility) as visibility,
      values(parameters.doc_id) as doc_id,
      count min(_time) as firstTime max(_time) as lastTime
      by parameters.owner ip_address phase severity
    | rename parameters.owner as user ip_address as src_ip
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `gsuite_drive_share_in_external_email_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs related to gsuite having the file attachment metadata like file type, file extension, source email, destination email, num of attachment and etc. In order for the search to work for your environment, please edit the query to use your company specific email domain instead of `internal_test_email.com`.
known_false_positives: network admin or normal user may share files to customer and external team.
references:
    - https://www.redhat.com/en/topics/devops/what-is-devsecops
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dst_email_list
          type: user
          score: 20
          message: Suspicious share gdrive from $user$ to $dst_email_list$ namely as $doc_title$
        - field: user
          type: user
          score: 20
          message: Suspicious share gdrive from $user$ to $dst_email_list$ namely as $doc_title$
analytic_story:
    - Scattered Lapsus$ Hunters
    - Dev Sec Ops
    - Insider Threat
asset_type: GSuite
mitre_attack_id:
    - T1567.002
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log
          source: http:gsuite
          sourcetype: gws:reports:drive
      test_type: experimental
      description: This test is a legacy experimental test and may not be accurate.