KQL Search

Query Details

GWS Alerts DLP Top Offenders

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a05
name: GWS Alerts - DLP Top Offenders & Sensitive File Hotspots
description: |
  Aggregates DLP rule violations to surface top offending users and the most
  frequently flagged files / rules. Pivot for data-exfil hunts.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - Exfiltration
  - Collection
relevantTechniques:
  - T1530
  - T1567.002
query: |
  GWSAlerts_CL
  | where TimeGenerated > ago(30d)
  | where Source == "Data Loss Prevention" or AlertDataType endswith "DlpRuleViolation"
  | extend Owner = tostring(coalesce(AlertData.resourceOwner, AlertData.email)),
           RuleName = tostring(AlertData.ruleName),
           ResourceTitle = tostring(AlertData.resourceTitle),
           Severity = tostring(coalesce(AlertData.severity, MetadataSeverity))
  | summarize Hits = count(),
              Rules = make_set(RuleName, 25),
              Resources = make_set(ResourceTitle, 25),
              MaxSeverity = max(Severity)
              by Owner
  | order by Hits desc
tags:
  - GoogleWorkspace
  - DLP
  - Exfiltration

Explanation

This query is designed to analyze and summarize data loss prevention (DLP) alerts from Google Workspace. It focuses on identifying the top users who have violated DLP rules and the most frequently flagged files or rules. Here's a simple breakdown of what the query does:

  1. Data Source: It uses data from Google Workspace alerts, specifically looking at DLP-related alerts.

  2. Time Frame: The query examines alerts generated in the last 30 days.

  3. Filter Criteria: It filters the alerts to include only those related to "Data Loss Prevention" or those ending with "DlpRuleViolation".

  4. Data Extraction: For each alert, it extracts information such as the owner of the resource (either from the alert's resource owner or email), the name of the rule violated, the title of the resource involved, and the severity of the alert.

  5. Aggregation: It summarizes the data by counting the number of violations (Hits) for each user, listing the unique rules and resources involved (up to 25 each), and determining the maximum severity level of the alerts for each user.

  6. Ordering: The results are ordered by the number of violations (Hits) in descending order, highlighting the top offenders.

  7. Purpose: This query helps in identifying users who frequently violate DLP rules and the sensitive files or rules that are most often involved, which can be useful for investigating potential data exfiltration activities.

The query is tagged with "GoogleWorkspace", "DLP", and "Exfiltration" to indicate its focus areas.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsTimeGeneratedSourceAlertDataTypeOwnerRuleNameResourceTitleSeverityHitsRulesResourcesMaxSeverityOwnerGoogleWorkspaceDLPExfiltration

Operators

whereagoorendswithextendtostringcoalescesummarizecountmake_setmaxbyorder bydesc

Actions