Google Workspace administrator initiated a data transfer request

Set up the gsuite integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Workspace administrator initiates a data transfer request.

Strategy

Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.

Triage and response

  1. Determine if there is a legitimate reason for the data transfer request.
  2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator ({{@usr.email}}) and IP address that initiated the request ({{@network.client.ip}}).
PREVIEWING: rtrieu/product-analytics-ui-changes