
Summary
The GSuite Document External Ownership Transfer rule is designed to monitor and detect situations where the ownership of GSuite documents is transferred to external users. This action could potentially expose sensitive or private information to unauthorized parties, hence the need for creating a detection rule. The rule acts as a safety mechanism by flagging any abnormal ownership transfers that deviate from established operational norms. Specifically, it captures the transfer events logged under GSuite.ActivityEvent and flags those instances where the new owner is an external email address. The associated tests validate the expected conditions, ensuring that any ownership transfer to an external party is reported while transfers that remain within the organization are disregarded. Should an ownership transfer occur to an external user, it triggers alerts for further investigation, allowing organizations to assess whether sensitive data might be at risk. The rule is currently disabled and requires configuration to be effectively utilized in a security monitoring context.
Categories
- Cloud
- Application
- Identity Management
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1213
Created: 2022-09-02