Query Details

GWS - High-Severity DLP Rule Violation

GWS Alerts DLP High Severity

Query

GWSAlerts_CL
| where Source == "Data Loss Prevention"
     or AlertDataType endswith "DlpRuleViolation"
| where MetadataSeverity =~ "HIGH" or tostring(AlertData.severity) =~ "HIGH"
| extend ResourceOwner = tostring(coalesce(AlertData.resourceOwner, AlertData.email)),
         RuleName = tostring(AlertData.ruleName),
         ResourceTitle = tostring(AlertData.resourceTitle)
| project TimeGenerated, AlertId, MetadataSeverity, RuleName, ResourceOwner,
          ResourceTitle, SecurityInvestigationToolLink, AlertData

Explanation

This query is a scheduled alert rule designed to detect high-severity Data Loss Prevention (DLP) rule violations in Google Workspace. Here's a simplified breakdown:

  • Purpose: It identifies instances where a DLP rule, specifically related to external sharing or exfiltration of sensitive data (like PII, PCI, source code, or secrets), has been triggered with high severity.

  • Data Source: The query uses data from the GWSAlerts_CL table, which is connected through the GoogleWorkspaceDefinition data connector.

  • Frequency and Period: The query runs every 10 minutes and examines data from the past hour.

  • Conditions: It filters alerts where the source is "Data Loss Prevention" or the alert type ends with "DlpRuleViolation" and where the severity is marked as "HIGH".

  • Data Extraction: It extracts and projects specific fields such as the time the alert was generated, alert ID, severity, rule name, resource owner, resource title, and a link to the security investigation tool.

  • Entity Mapping: The query maps the resource owner to an account entity and the resource title to a file entity for further analysis.

  • Incident Creation: If the query finds any results, it will automatically create an incident for further investigation.

  • Tactics and Techniques: The alert is associated with tactics like Exfiltration and Collection, and techniques such as T1567.002 (Exfiltration Over Web Service) and T1530 (Data from Cloud Storage Object).

  • Version and Status: This is version 1.0.0 of the rule, and it is currently available for use.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceAlertsDataLossPreventionResourceOwnerRuleNameTitleSecurityInvestigationToolLinkAlertAccountFileIncidentConfiguration

Operators

whereorendswith=~tostringcoalesceextendproject

Severity

High

Tactics

ExfiltrationCollection

MITRE Techniques

Frequency: 10m

Period: 1h

Actions

GitHub