change to supported sourcetype

ljstella · ljstella · commit ff624b020a0e · 2025-06-17T09:08:10.000-05:00
diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml
@@ -5,83 +5,86 @@ date: '2025-06-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects Google Drive or Google Docs files shared
+description:
+  The following analytic detects Google Drive or Google Docs files shared
   externally from an internal domain. It leverages GSuite Drive logs, extracting and
   comparing the source and destination email domains to identify external sharing.
   This activity is significant as it may indicate potential data exfiltration by an
   attacker or insider. If confirmed malicious, this could lead to unauthorized access
   to sensitive information, data leakage, and potential compliance violations. Monitoring
   this behavior helps in early detection and mitigation of data breaches.
 data_source:
-- G Suite Drive
+  - G Suite Drive
 search: |
   `gsuite_drive` NOT (email IN("", "null"))
   | spath path=parameters.owner output=owner
   | rex field=owner "[^@]+@(?<src_domain>[^@]+)"
-  | rex field=email "[^@]+@(?<dest_domain>[^@]+)" 
-  | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com" 
-  | eval phase="plan" 
+  | rex field=email "[^@]+@(?<dest_domain>[^@]+)"
+  | where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
+  | eval phase="plan"
   | eval severity="low"
-  | stats values(parameters.doc_title) as doc_title, 
-    values(parameters.doc_type) as doc_types, 
-    values(email) as dst_email_list, 
+  | stats values(parameters.doc_title) as doc_title,
+    values(parameters.doc_type) as doc_types,
+    values(email) as dst_email_list,
     values(parameters.visibility) as visibility,
-    values(parameters.doc_id) as doc_id, 
-    count min(_time) as firstTime max(_time) as lastTime 
-    by parameters.owner ip_address phase severity 
-  | rename parameters.owner as user ip_address as src_ip 
-  | `security_content_ctime(firstTime)` 
+    values(parameters.doc_id) as doc_id,
+    count min(_time) as firstTime max(_time) as lastTime
+    by parameters.owner ip_address phase severity
+  | rename parameters.owner as user ip_address as src_ip
+  | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `gsuite_drive_share_in_external_email_filter`
-how_to_implement: To successfully implement this search, you need to be ingesting
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   logs related to gsuite having the file attachment metadata like file type, file
   extension, source email, destination email, num of attachment and etc. In order
   for the search to work for your environment, please edit the query to use your company
   specific email domain instead of `internal_test_email.com`.
-known_false_positives: network admin or normal user may share files to customer and
+known_false_positives:
+  network admin or normal user may share files to customer and
   external team.
 references:
-- https://www.redhat.com/en/topics/devops/what-is-devsecops
+  - https://www.redhat.com/en/topics/devops/what-is-devsecops
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: Suspicious share gdrive from $owner$ to $email$ namely as $doc_title$
+  message: Suspicious share gdrive from $user$ to $dst_email_list$ namely as $doc_title$
   risk_objects:
-  - field: email
-    type: user
-    score: 72
-  - field: owner
-    type: user
-    score: 72
+    - field: dst_email_list
+      type: user
+      score: 72
+    - field: user
+      type: user
+      score: 72
   threat_objects: []
 tags:
   analytic_story:
-  - Dev Sec Ops
-  - Insider Threat
+    - Dev Sec Ops
+    - Insider Threat
   asset_type: GSuite
   mitre_attack_id:
-  - T1567.002
+    - T1567.002
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log
-    source: http:gsuite
-    sourcetype: gsuite:drive:json
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/gsuite_share_drive/gdrive_share_external.log
+        source: http:gsuite
+        sourcetype: gws:reports:drive
diff --git a/macros/gsuite_drive.yml b/macros/gsuite_drive.yml
@@ -1,5 +1,5 @@
-definition: sourcetype=gsuite:drive:json
-description: customer specific splunk configurations(eg- index, source, sourcetype).
+definition: sourcetype="gws:reports:drive"
+description:
+  customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: gsuite_drive
-
