Query Details

GWS Alerts - App Settings Changed (Calendar / Drive / Email / Mobile)

GWS Alerts App Settings Changed

Query

GWSAlerts_CL
| where TimeGenerated > ago(30d)
| where Source == "App Settings Changed" or AlertDataType endswith "AppSettingsChanged"
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
         SettingName = tostring(AlertData.settingName),
         NewValue = tostring(AlertData.newValue),
         OldValue = tostring(AlertData.oldValue),
         App = tostring(AlertData.applicationName)
| project TimeGenerated, AlertId, App, AlertType, Actor,
          SettingName, OldValue, NewValue, SecurityInvestigationToolLink
| order by TimeGenerated desc

Explanation

This query is designed to track changes in application settings within Google Workspace, specifically focusing on alerts related to changes in settings for Calendar, Drive, Email, and Mobile. It aims to identify potential security threats where adversaries might alter settings to facilitate unauthorized access or data exfiltration.

Here's a simple breakdown of the query:

  1. Data Source: It uses data from Google Workspace alerts, specifically those related to application settings changes.

  2. Time Frame: The query looks at alerts generated in the last 30 days.

  3. Filter Criteria: It filters alerts where the source is "App Settings Changed" or the alert type ends with "AppSettingsChanged".

  4. Data Extraction: It extracts details such as the actor's email, the setting name, the new and old values of the setting, and the application name involved in the change.

  5. Output: The query projects (selects) specific fields like the time the alert was generated, alert ID, application name, alert type, actor, setting name, old and new values, and a link to the security investigation tool.

  6. Sorting: The results are ordered by the time the alert was generated, with the most recent alerts appearing first.

The query is tagged with "GoogleWorkspace" and "DefenseEvasion" to indicate its focus on Google Workspace and its relevance to defense evasion tactics. It is associated with tactics like Defense Evasion and Persistence and techniques T1562 (Impair Defenses) and T1098 (Account Manipulation).

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsAppSettingsChangedDriveGmailMobilePoliciesPersistenceExfilGoogleWorkspace

Operators

whereagoorendswithextendtostringcoalesceprojectorder bydesc

Tactics

DefenseEvasionPersistence

MITRE Techniques

Actions

GitHub