GWS Alerts - App Settings Changed (Calendar / Drive / Email / Mobile)
GWS Alerts App Settings Changed
Query
GWSAlerts_CL
| where TimeGenerated > ago(30d)
| where Source == "App Settings Changed" or AlertDataType endswith "AppSettingsChanged"
| extend Actor = tostring(coalesce(AlertData.actorEmail, AlertData.email)),
SettingName = tostring(AlertData.settingName),
NewValue = tostring(AlertData.newValue),
OldValue = tostring(AlertData.oldValue),
App = tostring(AlertData.applicationName)
| project TimeGenerated, AlertId, App, AlertType, Actor,
SettingName, OldValue, NewValue, SecurityInvestigationToolLink
| order by TimeGenerated descExplanation
This query is designed to track changes in application settings within Google Workspace, specifically focusing on alerts related to changes in settings for Calendar, Drive, Email, and Mobile. It aims to identify potential security threats where adversaries might alter settings to facilitate unauthorized access or data exfiltration.
Here's a simple breakdown of the query:
-
Data Source: It uses data from Google Workspace alerts, specifically those related to application settings changes.
-
Time Frame: The query looks at alerts generated in the last 30 days.
-
Filter Criteria: It filters alerts where the source is "App Settings Changed" or the alert type ends with "AppSettingsChanged".
-
Data Extraction: It extracts details such as the actor's email, the setting name, the new and old values of the setting, and the application name involved in the change.
-
Output: The query projects (selects) specific fields like the time the alert was generated, alert ID, application name, alert type, actor, setting name, old and new values, and a link to the security investigation tool.
-
Sorting: The results are ordered by the time the alert was generated, with the most recent alerts appearing first.
The query is tagged with "GoogleWorkspace" and "DefenseEvasion" to indicate its focus on Google Workspace and its relevance to defense evasion tactics. It is associated with tactics like Defense Evasion and Persistence and techniques T1562 (Impair Defenses) and T1098 (Account Manipulation).
