Detection rules › Panther
External GSuite File Share
An employee shared a sensitive file externally with another organization
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1213 Data from Information Repositories |
Rule body yaml
AnalysisType: rule
Filename: gsuite_drive_external_share.py
RuleID: "GSuite.Drive.ExternalFileShare"
DisplayName: "External GSuite File Share"
Enabled: false
LogTypes:
- GSuite.ActivityEvent
Tags:
- GSuite
- Security Control
- Configuration Required
- Collection:Data from Information Repositories
Reports:
MITRE ATT&CK:
- TA0009:T1213
Severity: High
Description: An employee shared a sensitive file externally with another organization
Runbook: |
Contact the employee who made the share and make sure they redact the access.
If the share was legitimate, add to the EXCEPTION_PATTERNS in the detection.
Reference: https://support.google.com/docs/answer/2494822?hl=en&co=GENIE.Platform%3DiOS&sjid=864417124752637253-EU
Tests:
- Name: Dangerous Share of Known Document with a Missing User
LogType: GSuite.ActivityEvent
ExpectedResult: true
Log:
{
"kind": "admin#reports#activity",
"id":
{
"time": "2020-09-07T15:50:49.617Z",
"uniqueQualifier": "1111111111111111111",
"applicationName": "drive",
"customerId": "C010qxghg",
},
"actor":
{ "email": "example@acme.com", "profileId": "1111111111111111111" },
"type": "acl_change",
"name": "change_user_access",
"parameters":
{
"primary_event": true,
"visibility_change": "external",
"target_user": "outside@acme.com",
"old_visibility": "private",
"doc_id": "1111111111111111111",
"doc_type": "document",
"doc_title": "1 Document Title Primary",
"visibility": "shared_externally",
"originating_app_id": "1111111111111111111",
"owner_is_shared_drive": false,
"owner_is_team_drive": false,
"old_value": ["none"],
"new_value": ["can_edit"],
},
"p_log_type": "GSuite.ActivityEvent",
}
- Name: Dangerous Share of Unknown Document
LogType: GSuite.ActivityEvent
ExpectedResult: true
Log:
{
"kind": "admin#reports#activity",
"id":
{
"time": "2020-09-07T15:50:49.617Z",
"uniqueQualifier": "1111111111111111111",
"applicationName": "drive",
"customerId": "C010qxghg",
},
"actor":
{ "email": "example@acme.com", "profileId": "1111111111111111111" },
"type": "acl_change",
"name": "change_user_access",
"parameters":
{
"primary_event": true,
"visibility_change": "external",
"target_domain": "external.com",
"old_visibility": "private",
"doc_id": "1111111111111111111",
"doc_type": "document",
"doc_title": "Untitled document",
"visibility": "shared_externally",
"originating_app_id": "1111111111111111111",
"owner_is_shared_drive": false,
"owner_is_team_drive": false,
"old_value": ["none"],
"new_value": ["can_edit"],
},
"p_log_type": "GSuite.ActivityEvent",
}
- Name: Share Allowed by Exception
LogType: GSuite.ActivityEvent
ExpectedResult: false
Log:
{
"kind": "admin#reports#activity",
"id":
{
"time": "2020-07-07T15:50:49.617Z",
"uniqueQualifier": "1111111111111111111",
"applicationName": "drive",
"customerId": "C010qxghg",
},
"actor":
{ "email": "alice@acme.com", "profileId": "1111111111111111111" },
"type": "acl_change",
"name": "change_user_access",
"parameters":
{
"primary_event": true,
"billable": true,
"visibility_change": "external",
"target_user": "samuel@abc.com",
"old_visibility": "private",
"doc_id": "1111111111111111111",
"doc_type": "document",
"doc_title": "1 Document Title Pattern",
"visibility": "shared_externally",
"originating_app_id": "1111111111111111111",
"owner_is_shared_drive": false,
"owner_is_team_drive": false,
"old_value": ["none"],
"new_value": ["people_within_domain_with_link"],
},
"p_log_type": "GSuite.ActivityEvent",
}
- Name: Share Allowed by Exception - 2
LogType: GSuite.ActivityEvent
ExpectedResult: false
Log:
{
"kind": "admin#reports#activity",
"id":
{
"time": "2020-07-07T15:50:49.617Z",
"uniqueQualifier": "1111111111111111111",
"applicationName": "drive",
"customerId": "C010qxghg",
},
"actor":
{ "email": "alice@abc.com", "profileId": "1111111111111111111" },
"type": "acl_change",
"name": "change_user_access",
"parameters":
{
"primary_event": true,
"billable": true,
"visibility_change": "external",
"target_user": "samuel@acme.com",
"old_visibility": "private",
"doc_id": "1111111111111111111",
"doc_type": "document",
"doc_title": "2 Document Title Pattern",
"visibility": "shared_externally",
"originating_app_id": "1111111111111111111",
"owner_is_shared_drive": false,
"owner_is_team_drive": false,
"old_value": ["none"],
"new_value": ["people_within_domain_with_link"],
},
"p_log_type": "GSuite.ActivityEvent",
}
Detection logic
Condition
id.applicationName eq "drive"
type eq "acl_change"
parameters.visibility eq "shared_externally"
parameters.old_visibility eq "private"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
id.applicationName | eq |
|
parameters.old_visibility | eq |
|
parameters.visibility | eq |
|
type | eq |
|