KQL Search

Query Details

GWS Alerts Account Warning To Exfil Chain

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a08
name: GWS Alerts - Account Warnings + Drive/Takeout Activity (Exfil Chain)
description: |
  Hunts for accounts that received a Google identity AccountWarning
  (suspicious login / leaked password / suspended) and shortly after generated
  a DLP, Drive ransomware, or Domain-wide Takeout alert. Possible
  account-takeover-to-exfiltration chain.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - InitialAccess
  - Exfiltration
relevantTechniques:
  - T1078.004
  - T1567
  - T1530
query: |
  let warnings =
      GWSAlerts_CL
      | where Source == "Google identity" or AlertDataType endswith "AccountWarning"
      | extend User = tostring(AlertData.email)
      | project WarnTime = TimeGenerated, User, WarnType = AlertType, WarnId = AlertId;
  let exfil =
      GWSAlerts_CL
      | where AlertDataType endswith_cs "DlpRuleViolation"
           or AlertDataType endswith_cs "DriveSyncStateChanged"
           or AlertDataType endswith_cs "DomainWideTakeoutInitiated"
      | extend User = tostring(coalesce(AlertData.email,
                                        AlertData.resourceOwner,
                                        AlertData.initiator))
      | project ExfilTime = TimeGenerated, User, ExfilType = AlertType,
                ExfilSource = Source, ExfilId = AlertId,
                ExfilLink = SecurityInvestigationToolLink;
  warnings
  | join kind=inner exfil on User
  | where ExfilTime between (WarnTime .. WarnTime + 48h)
  | project WarnTime, ExfilTime, User, WarnType, ExfilSource, ExfilType,
            WarnId, ExfilId, ExfilLink
  | order by ExfilTime desc
tags:
  - GoogleWorkspace
  - AccountTakeover
  - Exfiltration

Explanation

This query is designed to identify potential security incidents involving Google Workspace accounts. It specifically looks for situations where an account receives a warning related to suspicious activity (such as a suspicious login, leaked password, or account suspension) and then shortly afterward triggers alerts related to data exfiltration activities, like data loss prevention (DLP) violations, Drive ransomware, or domain-wide data takeout.

Here's a breakdown of the query:

  1. Data Sources: It uses data from Google Workspace alerts, focusing on two types of alerts:

    • Account warnings from Google identity, which indicate suspicious activities related to account access.
    • Exfiltration-related alerts, such as DLP violations, changes in Drive sync state, or domain-wide data takeout initiations.

  2. Process:

    • It first extracts account warnings and associates them with user emails and alert details.
    • Then, it extracts exfiltration alerts, associating them with user emails and alert details.
    • The query joins these two sets of alerts based on the user email.

  3. Timeframe: It filters the results to include only those cases where the exfiltration alert occurs within 48 hours after the account warning.

  4. Output: The final output includes details such as the times of the warnings and exfiltration alerts, user information, types of warnings and exfiltration activities, and relevant alert IDs and investigation links.

  5. Purpose: This query helps in identifying potential account takeover incidents that lead to data exfiltration, allowing security teams to investigate and respond to these threats promptly.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceAccountWarningDlpRuleViolationDriveSyncStateChangedDomainWideTakeoutInitiatedAlertDataEmailResourceOwnerInitiatorTimeGeneratedAlertTypeAlertIdSecurityInvestigationToolLink

Operators

let|whereorendswithextendtostringprojectendswith_cscoalescejoinkind=innerbetween..+order bydesc

Actions