Google Workspace administrator initiated a data transfer request

Set up the gsuite integration.

Goal

Detect when a Google Workspace administrator initiates a data transfer request.

Strategy

Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.

Triage and response

  1. Determine if there is a legitimate reason for the data transfer request.
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP address that initiated the request ({{@network.client.ip}}).