[Rule Tuning] Google Workspace Drive Encryption Key(s) Accessed from Anonymous User

[brokensound77]

Link to Rule

https://github.com/elastic/detection-rules/blob/51859e57f3e55b0478056c3be6ee27ea9154a70a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml#L45

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

Tune google_workspace.drive.visibility beyond just people_with_link to include shared_externally. If needed, we can revise the title to include Anonymous or External

file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and
    google_workspace.drive.visibility : ("people_with_link", "shared_externally") and source.user.email == "" and
    file.extension: (
        "token","assig", "pssc", "keystore", "pub", "pgp.asc", "ps1xml", "pem", "gpg.sig", "der", "key",
        "p7r", "p12", "asc", "jks", "p7b", "signature", "gpg", "pgp.sig", "sst", "pgp", "gpgz", "pfx", "crt",
        "p8", "sig", "pkcs7", "jceks", "pkcs8", "psc1", "p7c", "csr", "cer", "spc", "ps2xml")

Example Data

No response