The Google Workspace Cloud Search feature allows for more thorough searching. It may be possible to detect attempts to Discover or Exfil based on certain search terms targeting sensitive or lucrative files (or similar patterns).
It looks like it is possible to log search parameters (specifically for cloud search application), as logging for seems to exist. The possible event.action could include search, suggest, or list query sources.
Need to figure out:
are there any subscription or license prerequisites (if so, annotate in the rule)
are there any additional required steps to configure from the GW side
are they any additional required steps to configure from the integration side
Target Ruleset
google_workspace
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
TBD
New fields required in ECS/data sources for this rule?
brokensound77
commented
6 days ago
Description
The Google Workspace Cloud Search feature allows for more thorough searching. It may be possible to detect attempts to
DiscoverorExfilbased on certain search terms targeting sensitive or lucrative files (or similar patterns).It looks like it is possible to log search parameters (specifically for cloud search application), as logging for seems to exist. The possible
event.actioncould includesearch,suggest, orlist query sources.Need to figure out:
Target Ruleset
google_workspace
Target Rule Type
Custom (KQL or Lucene)
Tested ECS Version
No response
Query
TBD
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response