Google Workspace administrator initiated a data transfer request

Docs > Plateforme de sécurité Datadog > OOTB Rules > Google Workspace administrator initiated a data transfer request

Set up the gsuite integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Workspace administrator initiates a data transfer request.

Strategy

Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.

Triage and response

Determine if there is a legitimate reason for the data transfer request.
If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP address that initiated the request ({{@network.client.ip}}).