Google Workspace administrator initiated a data transfer request
Set up the gsuite integration.
Goal
Detect when a Google Workspace administrator initiates a data transfer request.
Strategy
Monitor Google Workspace logs to detect when a Google Workspace administrator initiates a request to transfer the ownership of a user’s data to a destination user within the same organization. This request is typically made when a user has left an organization and their data is transferred to another user. However, the service could be leveraged by an attacker to transfer data to an attacker-controlled account for exfiltration.
Triage and response
- Determine if there is a legitimate reason for the data transfer request.
- If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (
{{@usr.email}}
) and IP address that initiated the request ({{@network.client.ip}}
).