Explore all sensitive files accessed by users, based on defined parameters
Target Huntset
google_workspace
Target hunt Type
ES|QL
Query
from logs-google_workspace*
| where file.name == "*" or file.name is not null and event.action in ("view", "download") and
(
//expand to known patterns
to_lower(file.name) like "*password*" or
to_lower(file.name) like "*sensitive*" or
to_lower(file.name) like "*cred*" or
to_lower(file.name) like "*private*" or
to_lower(file.name) like "*secret*"
)
| stats files=count(*) by file.name, user.email, event.action
Description
Explore all sensitive files accessed by users, based on defined parameters
Target Huntset
google_workspace
Target hunt Type
ES|QL
Query
Related issues or PRs
4121
References
No response
Redacted Example Data
No response