KQL Search

Query Details

GWS Alerts App Settings Changed

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a09
name: GWS Alerts - App Settings Changed (Calendar / Drive / Email / Mobile)
description: |
  Tracks AppSettingsChanged alerts. Adversaries flip Drive sharing to "anyone
  with link", relax Gmail external-forwarding, or weaken mobile policies as part
  of persistence/exfil setup.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - DefenseEvasion
  - Persistence
relevantTechniques:
  - T1562
  - T1098
query: |
  GWSAlerts_CL
  | where TimeGenerated > ago(30d)
  | where Source == "App Settings Changed" or AlertDataType endswith "AppSettingsChanged"
  | extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
           SettingName = tostring(AlertData.settingName),
           NewValue = tostring(AlertData.newValue),
           OldValue = tostring(AlertData.oldValue),
           App = tostring(AlertData.applicationName)
  | project TimeGenerated, AlertId, App, AlertType, Actor,
            SettingName, OldValue, NewValue, SecurityInvestigationToolLink
  | order by TimeGenerated desc
tags:
  - GoogleWorkspace
  - DefenseEvasion

Explanation

This query is designed to track changes in application settings within Google Workspace, specifically focusing on alerts related to changes in settings for Calendar, Drive, Email, and Mobile. It aims to identify potential security threats where adversaries might alter settings to facilitate unauthorized access or data exfiltration.

Here's a simple breakdown of the query:

  1. Data Source: It uses data from Google Workspace alerts, specifically those related to application settings changes.

  2. Time Frame: The query looks at alerts generated in the last 30 days.

  3. Filter Criteria: It filters alerts where the source is "App Settings Changed" or the alert type ends with "AppSettingsChanged".

  4. Data Extraction: It extracts details such as the actor's email, the setting name, the new and old values of the setting, and the application name involved in the change.

  5. Output: The query projects (selects) specific fields like the time the alert was generated, alert ID, application name, alert type, actor, setting name, old and new values, and a link to the security investigation tool.

  6. Sorting: The results are ordered by the time the alert was generated, with the most recent alerts appearing first.

The query is tagged with "GoogleWorkspace" and "DefenseEvasion" to indicate its focus on Google Workspace and its relevance to defense evasion tactics. It is associated with tactics like Defense Evasion and Persistence and techniques T1562 (Impair Defenses) and T1098 (Account Manipulation).

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsAppSettingsChangedDriveGmailMobilePoliciesPersistenceExfilGoogleWorkspace

Operators

whereagoorendswithextendtostringcoalesceprojectorder bydesc

Actions