Detection rules › Panther
GSuite External Drive Document
A Google drive resource became externally accessible.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1213 Data from Information Repositories |
Rule body yaml
AnalysisType: rule
Filename: gsuite_drive_visibility_change.py
RuleID: "GSuite.DriveVisibilityChanged"
DisplayName: "GSuite External Drive Document"
Enabled: false
LogTypes:
- GSuite.ActivityEvent
Tags:
- GSuite
- Collection:Data from Information Repositories
- Configuration Required
Reports:
MITRE ATT&CK:
- TA0009:T1213
Severity: Low
Description: >
A Google drive resource became externally accessible.
Reference: https://support.google.com/a/users/answer/12380484?hl=en&sjid=864417124752637253-EU
Runbook: >
Investigate whether the drive document is appropriate to be publicly accessible.
SummaryAttributes:
- actor:email
DedupPeriodMinutes: 360 # 6 hours
Tests:
- Name: Access Event
ExpectedResult: false
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "access",
"name": "upload"
}
- Name: ACL Change without Visibility Change
ExpectedResult: false
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "shared_drive_settings_change"
}
- Name: Doc Became Public - Link (Unrestricted)
ExpectedResult: true
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@gmail.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_document_visibility",
"parameters": {
"visibility_change": "external",
"doc_title": "my shared document",
"target_domain": "all",
"visibility": "people_with_link",
"new_value": [
"people_with_link"
]
}
}
- Name: Doc Became Public - Link (Allowlisted Domain Not Configured)
ExpectedResult: true
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_document_visibility",
"parameters": {
"visibility_change": "external",
"doc_title": "my shared document",
"target_domain": "example.com",
"visibility": "people_within_domain_with_link",
"new_value": [
"people_with_link"
]
}
}
- Name: Doc Became Public - Link (Allowlisted Domain Is Configured)
ExpectedResult: false
Mocks:
- objectName: ALLOWED_DOMAINS
returnValue: "[\n \"example.com\"\n]"
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_document_visibility",
"parameters": {
"visibility_change": "external",
"doc_title": "my shared document",
"target_domain": "example.com",
"visibility": "people_within_domain_with_link",
"new_value": [
"people_with_link"
]
}
}
- Name: Doc Became Private - Link
ExpectedResult: false
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_document_visibility",
"parameters": {
"visibility_change": "external",
"doc_title": "my shared document",
"target_domain": "all",
"visibility": "people_with_link",
"new_value": [
"private"
]
}
}
- Name: Doc Became Public - User
ExpectedResult: true
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"kind": "admin#reports#activity",
"ipAddress": "1.1.1.1",
"type": "acl_change",
"name": "change_user_access",
"parameters": {
"primary_event": true,
"visibility_change": "external",
"target_user": "someone@random.com",
"old_value": [
"none"
],
"new_value": [
"can_view"
],
"old_visibility": "people_within_domain_with_link",
"doc_title": "Hosted Accounts",
"visibility": "shared_externally"
}
}
- Name: Doc Became Public - User (Multiple)
ExpectedResult: true
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"kind": "admin#reports#activity",
"ipAddress": "1.1.1.1",
"type": "acl_change",
"name": "change_user_access",
"parameters": {
"primary_event": true,
"visibility_change": "external",
"target_user": "someone@random.com",
"old_value": [
"none"
],
"new_value": [
"can_view"
],
"old_visibility": "people_within_domain_with_link",
"doc_title": "Hosted Accounts",
"visibility": "shared_externally"
}
}
- Name: Doc Inherits Folder Permissions
ExpectedResult: false
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_user_access_hierarchy_reconciled",
"parameters": {
"visibility_change": "internal"
}
}
- Name: Doc Inherits Folder Permissions - Sharing Link
ExpectedResult: false
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"p_row_id": "111222",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"type": "acl_change",
"name": "change_document_access_scope_hierarchy_reconciled",
"parameters": {
"visibility_change": "internal"
}
}
- Name: Doc Became Public - Public email provider
ExpectedResult: true
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"kind": "admin#reports#activity",
"ipAddress": "1.1.1.1",
"type": "acl_change",
"name": "change_user_access",
"parameters": {
"primary_event": true,
"visibility_change": "external",
"target_user": "someone@yandex.com",
"old_value": [
"none"
],
"new_value": [
"can_view"
],
"old_visibility": "people_within_domain_with_link",
"doc_title": "Hosted Accounts",
"visibility": "shared_externally"
}
}
- Name: Doc Shared With Multiple Users All From ALLOWED_DOMAINS
ExpectedResult: false
Mocks:
- objectName: ALLOWED_DOMAINS
returnValue: "[\n \"example.com\", \"notexample.com\"\n]"
Log:
{
"p_log_type": "GSuite.ActivityEvent",
"actor": {
"email": "bobert@example.com"
},
"id": {
"applicationName": "drive"
},
"kind": "admin#reports#activity",
"ipAddress": "1.1.1.1",
"type": "acl_change",
"name": "change_user_access",
"parameters": {
"primary_event": true,
"visibility_change": "external",
"target_user": "someone@notexample.com",
"old_value": [
"none"
],
"new_value": [
"can_view"
],
"old_visibility": "people_within_domain_with_link",
"doc_title": "Hosted Accounts",
"visibility": "shared_externally"
}
}
Detection logic
Condition
id.applicationName eq "drive"
name not in ["change_user_access_hierarchy_reconciled", "change_document_access_scope_hierarchy_reconciled"]
(type eq "acl_change" and name eq "change_document_visibility") or (type eq "acl_change" and name eq "change_user_access")
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
name | in | change_document_access_scope_hierarchy_reconciled, change_user_access_hierarchy_reconciled |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
id.applicationName | eq |
|
name | eq |
|
type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
email | actor.email |