KQL Search

Query Details

GWS Alerts DLP High Severity

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f06
name: GWS - High-Severity DLP Rule Violation
description: |
  A Workspace DLP rule fired at HIGH severity (typically external sharing or
  exfiltration of regulated data such as PII, PCI, source code, secrets).
severity: High
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
  - Collection
relevantTechniques:
  - T1567.002
  - T1530
query: |
  GWSAlerts_CL
  | where Source == "Data Loss Prevention"
       or AlertDataType endswith "DlpRuleViolation"
  | where MetadataSeverity =~ "HIGH" or tostring(AlertData.severity) =~ "HIGH"
  | extend ResourceOwner = tostring(coalesce(AlertData.resourceOwner, AlertData.email)),
           RuleName = tostring(AlertData.ruleName),
           ResourceTitle = tostring(AlertData.resourceTitle)
  | project TimeGenerated, AlertId, MetadataSeverity, RuleName, ResourceOwner,
            ResourceTitle, SecurityInvestigationToolLink, AlertData
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: ResourceOwner
  - entityType: File
    fieldMappings:
      - identifier: Name
        columnName: ResourceTitle
incidentConfiguration:
  createIncident: true
version: 1.0.0
kind: Scheduled

Explanation

This query is a scheduled alert rule designed to detect high-severity Data Loss Prevention (DLP) rule violations in Google Workspace. Here's a simplified breakdown:

  • Purpose: It identifies instances where a DLP rule, specifically related to external sharing or exfiltration of sensitive data (like PII, PCI, source code, or secrets), has been triggered with high severity.

  • Data Source: The query uses data from the GWSAlerts_CL table, which is connected through the GoogleWorkspaceDefinition data connector.

  • Frequency and Period: The query runs every 10 minutes and examines data from the past hour.

  • Conditions: It filters alerts where the source is "Data Loss Prevention" or the alert type ends with "DlpRuleViolation" and where the severity is marked as "HIGH".

  • Data Extraction: It extracts and projects specific fields such as the time the alert was generated, alert ID, severity, rule name, resource owner, resource title, and a link to the security investigation tool.

  • Entity Mapping: The query maps the resource owner to an account entity and the resource title to a file entity for further analysis.

  • Incident Creation: If the query finds any results, it will automatically create an incident for further investigation.

  • Tactics and Techniques: The alert is associated with tactics like Exfiltration and Collection, and techniques such as T1567.002 (Exfiltration Over Web Service) and T1530 (Data from Cloud Storage Object).

  • Version and Status: This is version 1.0.0 of the rule, and it is currently available for use.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceAlertsDataLossPreventionResourceOwnerRuleNameResourceTitleSecurityInvestigationToolLinkAlertDataAccountFileIncidentConfiguration

Operators

whereorendswith=~tostringcoalesceextendproject

Actions