@@ -3,18 +3,20 @@ id: 07eed200-03f5-11ec-98fb-acde48001122
33version : 7
44date : ' 2025-05-02'
55author : Teoderick Contreras, Splunk
6- status : production
6+ status : Experimental
77type : Anomaly
8- description : The following analytic detects shared files in Google Drive with suspicious
8+ description :
9+ The following analytic detects shared files in Google Drive with suspicious
910 filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs
1011 to identify documents with titles that include keywords like "dhl," "ups," "invoice,"
1112 and "shipment." This activity is significant because such filenames are often used
1213 to lure users into opening malicious documents or clicking harmful links. If confirmed
1314 malicious, this activity could lead to unauthorized access, data theft, or further
1415 compromise of the user's system.
1516data_source :
16- - G Suite Drive
17- search : ' `gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title"
17+ - G Suite Drive
18+ search :
19+ ' `gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title"
1820 IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*",
1921 "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*",
2022 "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet",
@@ -25,55 +27,57 @@ search: '`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_tit
2527 parameters.target_user parameters.doc_title parameters.doc_type phase severity |
2628 rename parameters.target_user AS user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
2729 | `gsuite_suspicious_shared_file_name_filter`'
28- how_to_implement : To successfully implement this search, you need to be ingesting
30+ how_to_implement :
31+ To successfully implement this search, you need to be ingesting
2932 logs related to gsuite having the file attachment metadata like file type, file
3033 extension, source email, destination email, num of attachment and etc. In order
3134 for the search to work for your environment, please edit the query to use your company
3235 specific email domain instead of `internal_test_email.com`.
33- known_false_positives : normal user or normal transaction may contain the subject and
36+ known_false_positives :
37+ normal user or normal transaction may contain the subject and
3438 file type attachment that this detection try to search
3539references :
36- - https://www.redhat.com/en/topics/devops/what-is-devsecops
37- - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks
40+ - https://www.redhat.com/en/topics/devops/what-is-devsecops
41+ - https://www.mandiant.com/resources/top-words-used-in-spear-phishing-attacks
3842drilldown_searches :
39- - name : View the detection results for - "$email$"
40- search : ' %original_detection_search% | search email = "$email$"'
41- earliest_offset : $info_min_time$
42- latest_offset : $info_max_time$
43- - name : View risk events for the last 7 days for - "$email$"
44- search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$")
45- starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
46- values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
47- as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
48- as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
49- | `security_content_ctime(lastTime)`'
50- earliest_offset : $info_min_time$
51- latest_offset : $info_max_time$
43+ - name : View the detection results for - "$email$"
44+ search : ' %original_detection_search% | search email = "$email$"'
45+ earliest_offset : $info_min_time$
46+ latest_offset : $info_max_time$
47+ - name : View risk events for the last 7 days for - "$email$"
48+ search :
49+ ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$")
50+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
51+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
52+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
53+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
54+ | `security_content_ctime(lastTime)`'
55+ earliest_offset : $info_min_time$
56+ latest_offset : $info_max_time$
5257rba :
5358 message : suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$
5459 risk_objects :
55- - field : email
56- type : user
57- score : 21
58- - field : parameters.owner
59- type : user
60- score : 21
60+ - field : email
61+ type : user
62+ score : 21
63+ - field : parameters.owner
64+ type : user
65+ score : 21
6166 threat_objects : []
6267tags :
6368 analytic_story :
64- - Dev Sec Ops
69+ - Dev Sec Ops
6570 asset_type : GSuite
6671 mitre_attack_id :
67- - T1566.001
72+ - T1566.001
6873 product :
69- - Splunk Enterprise
70- - Splunk Enterprise Security
71- - Splunk Cloud
74+ - Splunk Enterprise
75+ - Splunk Enterprise Security
76+ - Splunk Cloud
7277 security_domain : endpoint
7378tests :
74- - name : True Positive Test
75- attack_data :
76- - data :
77- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log
78- source : http:gsuite
79- sourcetype : gsuite:drive:json
79+ - name : True Positive Test
80+ attack_data :
81+ - data : https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_attach.log
82+ source : http:gsuite
83+ sourcetype : gws:reports:drive
0 commit comments