Large amount of downloads on Google Drive

Set up the gsuite integration.

Goal

Detect when an attempt to download a large number of Google Drive files occurs.

Strategy

This rule monitors Google Workspace logs to determine when an anomalous number of Google Drive files have been downloaded by a user. An attacker may try to exfiltrate data by downloading files and other sensitive information from the platform.

To reduce false positives the detection looks at download requests that did not originate from an application.

Triage and response

  1. Check for other signals and logs generated by the impacted user {{@usr.email}}, and look for deviations in the following properties:
    • Application
    • Device
    • Geolocation
    • IP address
  2. Reach out to the user {{@usr.email}} to confirm if they recognize the activity.
  3. If the activity is not legitimate, block the user from signing in and begin your Incident Response process.