Google Drive
Communication and Collaboration
Google Drive - Cloud storage integrated with Google Workspace.
Detection Rules for Google Drive
These detection rules for Google Drive focus on identifying suspicious activity and potential data exfiltration attempts in cloud storage, ensuring secure access and monitoring for unusual behavior across file sharing, downloads, and access patterns. They are designed to help secure sensitive information by detecting unauthorized access, malware, and high-risk activity involving shared files and third-party applications.
Provider: Dropbox
| Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unauthorized File Access | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
| File Sharing Outside Organization | Exfiltration | T1071.001 - Application Layer Protocol: Web Protocols | Critical | ||||||
|
|||||||||
| Malicious File Uploads | Execution | T1203 - Exploitation for Client Execution | High | ||||||
|
|||||||||
| Large Volume File Downloads | Exfiltration | T1041 - Exfiltration Over Command and Control Channel | High | ||||||
|
|||||||||
| Anomalous Activity from Service Accounts | Discovery | T1071.001 - Application Layer Protocol: Web Protocols | High | ||||||
|
|||||||||
| Suspicious File Type Usage | Execution | T1203 - Exploitation for Client Execution | Medium | ||||||
|
|||||||||
| Unusual Login Activity | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
| File Versioning Changes | Defense Evasion | T1562.001 - Impair Defenses: Disable or Modify Security Toolss | Medium | ||||||
|
|||||||||
| Accessing Sensitive Documents | Discovery | T1087 - Account Discovery | Critical | ||||||
|
|||||||||
| Phishing via Shared Files | Initial Access | T1566 - Phishing | Critical | ||||||
|
|||||||||
APIs and Their Scopes
| Detections Name | API Required | Scope Required | Usage |
|---|---|---|---|
| Unauthorized File Access | Google Drive API | https://www.googleapis.com/auth/drive.activity.readonly | Access to audit file activity logs for detecting unauthorized file access. |
| File Sharing Outside Organization | Google Drive API | https://www.googleapis.com/auth/drive.metadata.readonly | Access to file metadata and permissions to track file sharing details. |
| Malicious File Uploads | Google Drive API, VirusTotal APII | https://www.googleapis.com/auth/drive.file, API Key (VirusTotal) | Analyzes files uploaded to Google Drive and checks for malware signatures. |
| Large Volume File Downloads | Google Drive API | https://www.googleapis.com/auth/drive.activity.readonly | Monitors file download activities for anomalies in download volume. |
| Anomalous Activity from Service Accounts | Google Drive API, Google Admin SDK | https://www.googleapis.com/auth/drive.activity.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly | Reviews audit logs for unusual activity in service accounts, such as access times and patterns. |
| Suspicious File Type Usage | Google Drive API | https://www.googleapis.com/auth/drive.metadata.readonly | Monitors file types uploaded to Google Drive to check for suspicious files. |
| Unusual Login Activity | Google Identity API | https://www.googleapis.com/auth/admin.reports.audit.readonly | Audits login activities and patterns for irregularities in user behavior. |
| File Versioning Changes | Google Drive API | https://www.googleapis.com/auth/drive.metadata.readonly | Accesses file version history to monitor unauthorized changes. |
| Accessing Sensitive Documents | Google Drive API | https://www.googleapis.com/auth/drive.metadata.readonly | Tracks access to sensitive documents and files. |
| Phishing via Shared Files | Google Drive API, VirusTotal API | https://www.googleapis.com/auth/drive.metadata.readonly, API Key (VirusTotal) | Analyzes shared files for potential phishing links and malicious URLs. |
Reports and Widgets for CISO
| Report Name | Widgets | Description | |
|---|---|---|---|
| Unauthorized Access Report | Bar Chart: Access by User | Tracks unauthorized access to files and login attempts across geolocations. | |
|
Line Chart: Failed Login Attempts Map Widget: Geolocation of Access |
|||
| File Sharing Activity Report | Pie Chart: Files Shared Externally | Monitors file sharing activities, especially those shared outside the organization. | |
|
Table: Most Shared Files Bar Chart: Top External Domains |
|||
| File Download & Upload Anomalies | Bar Chart: Large File Downloads | Tracks abnormal file upload/download volumes and highlights anomalies. | |
|
List View: Suspicious Uploads Heatmap: Data Transfer Volumes |
|||
| Sensitive Document Access Report | Table: Sensitive Files Accessed | Shows access to sensitive documents and identifies top users involved. | |
|
Bar Chart: Top Users Accessing Sensitive Files |
|||
| Service Account Activity Report | Bar Chart: Number of changes made to direct deposit information. | Provides insights into any changes made to direct deposit information. | |
|
Table: Details of Changes (User, Old Value, New Value) |
|||
| File Versioning & Changes Report | TableRecent File Version Changes |
Highlights unusual file version changes, including those done outside normal workflows. |
|
|
Bar Chart:Files with Most Changes |
|||
| Phishing and Malware Report | List View: Flagged Files |
Displays files flagged for phishing or malware and categorizes by type. |
|
|
Pie Chart: Files with Malware/Phishing Links |
|||
| User Activity Report | Bar Chart: Active vs Inactive Users |
Monitors user activity trends and highlights the most active users. |
|
|
Table: Top Users by Activity |
|||
| External Collaborator Activity Report | Bar Chart: Top External Collaborators |
Shows external collaborators’ activity, especially file accesses and modifications. |
|
|
Table: Files Accessed by External Users |
|||
| Suspicious File Type Usage Report | Pie Chart: Most Used File Types |
Monitors unusual file types uploaded or downloaded, highlighting suspicious activity. |
|
|
List View: Flagged File Types |
|||