GWS Alerts - Account Warnings + Drive/Takeout Activity (Exfil Chain)
GWS Alerts Account Warning To Exfil Chain
Query
let warnings =
GWSAlerts_CL
| where Source == "Google identity" or AlertDataType endswith "AccountWarning"
| extend User = tostring(AlertData.email)
| project WarnTime = TimeGenerated, User, WarnType = AlertType, WarnId = AlertId;
let exfil =
GWSAlerts_CL
| where AlertDataType endswith_cs "DlpRuleViolation"
or AlertDataType endswith_cs "DriveSyncStateChanged"
or AlertDataType endswith_cs "DomainWideTakeoutInitiated"
| extend User = tostring(coalesce(AlertData.email,
AlertData.resourceOwner,
AlertData.initiator))
| project ExfilTime = TimeGenerated, User, ExfilType = AlertType,
ExfilSource = Source, ExfilId = AlertId,
ExfilLink = SecurityInvestigationToolLink;
warnings
| join kind=inner exfil on User
| where ExfilTime between (WarnTime .. WarnTime + 48h)
| project WarnTime, ExfilTime, User, WarnType, ExfilSource, ExfilType,
WarnId, ExfilId, ExfilLink
| order by ExfilTime descExplanation
This query is designed to identify potential security incidents involving Google Workspace accounts. It specifically looks for situations where an account receives a warning related to suspicious activity (such as a suspicious login, leaked password, or account suspension) and then shortly afterward triggers alerts related to data exfiltration activities, like data loss prevention (DLP) violations, Drive ransomware, or domain-wide data takeout.
Here's a breakdown of the query:
-
Data Sources: It uses data from Google Workspace alerts, focusing on two types of alerts:
- Account warnings from Google identity, which indicate suspicious activities related to account access.
- Exfiltration-related alerts, such as DLP violations, changes in Drive sync state, or domain-wide data takeout initiations.
-
Process:
- It first extracts account warnings and associates them with user emails and alert details.
- Then, it extracts exfiltration alerts, associating them with user emails and alert details.
- The query joins these two sets of alerts based on the user email.
-
Timeframe: It filters the results to include only those cases where the exfiltration alert occurs within 48 hours after the account warning.
-
Output: The final output includes details such as the times of the warnings and exfiltration alerts, user information, types of warnings and exfiltration activities, and relevant alert IDs and investigation links.
-
Purpose: This query helps in identifying potential account takeover incidents that lead to data exfiltration, allowing security teams to investigate and respond to these threats promptly.
Details

David Alonso
Released: May 7, 2026
Tables
Keywords
Operators
Tactics