Tag
medium
advisory
Google Workspace Drive Data Transfer or Takeout Export Initiated
2 rules 2 TTPsThis rule detects when Google Workspace administrators initiate bulk movement or export of user Drive data, including admin data transfer requests and Customer Takeout export jobs which can be abused by adversaries with administrative access to stage or exfiltrate sensitive files.
Google Workspace +1
google_workspace
data_exfiltration
cloud
2r
2t
medium
advisory
Google Workspace Device Registration Burst for Single User
1 rule 3 TTPsDetects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.
Google Workspace
google_workspace
device_registration
persistence
initial_access
credential_access
1r
3t
medium
advisory
Google Workspace User Sign-in from Atypical Device Type
2 rules 2 TTPsThis rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.
Google Workspace
google_workspace
persistence
account_compromise
device_registration
2r
2t