elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.92k stars 492 forks source link

[New hunt] All file activity by user and action in Google Workspace #4124

Open brokensound77 opened 6 days ago

brokensound77 commented 6 days ago

Description

Explore all file activity by user and event action

Target Huntset

google_workspace

Target hunt Type

ES|QL

Query

from logs-google_workspace*
| where file.name == "*" or file.name is not null and event.action
| stats files=count(*) by file.name, user.email, event.action
| sort files asc

elastic / detection-rules

[New hunt] All file activity by user and action in Google Workspace #4124

Description

Target Huntset

Target hunt Type

Query

Related issues or PRs

4121

References

Redacted Example Data