
Summary
This detection rule is designed to identify events where a user or an administrator modifies a GSuite calendar’s sharing settings to make it public. It leverages GSuite Activity Event logs to monitor for changes regarding calendar ACLs (Access Control Lists). The rule primarily focuses on the event types related to calendar sharing settings, capturing both instances of public sharing and reverting settings back to private. The significance of this detection lies in maintaining the confidentiality of calendar events which could potentially expose sensitive company information to outsiders. The rule monitors five critical tests: a user publicly sharing a calendar, a user changing a calendar back to private, and an administrator altering default calendar sharing settings. Alerts generated by this rule should prompt a follow-up with the user to ensure compliance with data privacy policies.
Categories
- Cloud
- Web
- Application
Data Sources
- User Account
- Application Log
- Web Credential
ATT&CK Techniques
- T1087
Created: 2022-12-13