KQL Search

Query Details

GWS Alerts Domain Wide Takeout

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f02
name: GWS - Domain-Wide Takeout Initiated
description: |
  A super admin initiated a domain-wide data takeout. This exports every user's
  data and is a high-impact action commonly observed in account-takeover and
  insider exfiltration scenarios.
severity: High
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1567
  - T1530
query: |
  GWSAlerts_CL
  | where Source == "Domain wide takeout"
       or AlertDataType endswith "DomainWideTakeoutInitiated"
       or AlertType has "takeout"
  | extend Initiator = tostring(coalesce(AlertData.email, AlertData.initiator))
  | project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
            Initiator, SecurityInvestigationToolLink, AlertData
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Initiator
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: SecurityInvestigationToolLink
incidentConfiguration:
  createIncident: true
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to monitor and detect when a super admin initiates a domain-wide data takeout in Google Workspace. This action involves exporting all users' data and is considered high-risk, as it can indicate potential account takeover or insider data exfiltration.

Here's a simplified breakdown of the query:

  • Purpose: To identify and alert on domain-wide data takeout actions initiated by a super admin, which could be a sign of malicious activity.
  • Severity: High, due to the potential for significant data exposure.
  • Data Source: The query uses data from Google Workspace alerts, specifically looking at logs related to domain-wide takeouts.
  • Frequency: The query runs every 10 minutes and looks back over the past hour for any relevant activity.
  • Trigger: An alert is triggered if any such activity is detected (i.e., more than 0 occurrences).
  • Tactics and Techniques: It is associated with the "Exfiltration" tactic and techniques T1567 (Data Transfer to Cloud Account) and T1530 (Data from Cloud Storage Object).
  • Query Logic: It filters for alerts related to domain-wide takeouts, extracts relevant information such as the initiator's email, and projects key details like the time of the alert, alert ID, severity, and a link to the security investigation tool.
  • Entity Mapping: It maps the initiator's email to an account entity and the investigation tool link to a URL entity.
  • Incident Creation: If such an event is detected, an incident is automatically created for further investigation.

Overall, this query helps security teams quickly identify and respond to potentially unauthorized or suspicious data export activities within a Google Workspace environment.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceAlertsDomainTakeoutAccountURLSecurityInvestigationToolAlertData

Operators

whereorendswithhasextendtostringcoalesceproject

Actions