Google Workspace administrator initiated a data transfer request

gsuite

Set up the gsuite integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a Google Workspace administrator initiates a data transfer request.

Strategy

Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.

Triage and response

  1. Determine if there is a legitimate reason for the data transfer request.
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP address that initiated the request ({{@network.client.ip}}).