Explore all files accessed via view or download by a user, within google workspace.
Target Huntset
google_workspace
Target hunt Type
ES|QL
Query
from logs-google_workspace*
| where file.name == "*" or file.name is not null and event.action in ("view", "download")
| stats files=count(*) by file.name, user.email
| sort files asc
Could potentially scope further to drive if needed
Description
Explore all files accessed via view or download by a user, within google workspace.
Target Huntset
google_workspace
Target hunt Type
ES|QL
Query
Could potentially scope further to
driveif neededRelated issues or PRs
No response
References
No response
Redacted Example Data
No response