Query Details

GWS - Potential Ransomware Detected on Drive

GWS Alerts Drive Ransomware

Query

GWSAlerts_CL
| where Source == "Drive Counter Abuse"
     or AlertType has "ransomware"
     or (AlertDataType endswith "DriveSyncStateChanged" and tostring(AlertData.state) =~ "PAUSED")
| extend AffectedUser = tostring(AlertData.email)
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
          AffectedUser, SecurityInvestigationToolLink, AlertData

Explanation

This query is part of a scheduled detection rule designed to identify potential ransomware activity on Google Drive. Here's a simple breakdown of what it does:

  1. Purpose: The query is set up to detect mass file changes on Google Drive that are consistent with ransomware encryption. When such activity is detected, file syncing is automatically paused to prevent further damage.

  2. Severity and Status: The alert generated by this query is classified as "High" severity and is currently "Available" for use.

  3. Data Source: It uses data from Google Workspace, specifically looking at alerts related to Google Drive.

  4. Frequency and Duration: The query runs every 10 minutes and looks back over the past hour to check for any relevant alerts.

  5. Detection Logic:

    • It searches for alerts from the "Drive Counter Abuse" source.
    • It looks for alerts that mention "ransomware."
    • It checks if the Drive sync state has changed to "PAUSED," which indicates a potential ransomware threat.
  6. Output: The query extracts and displays information such as the time the alert was generated, the alert ID, severity, source, type of alert, the affected user's email, and a link to a security investigation tool.

  7. Entity Mapping:

    • It maps the affected user's email to an "Account" entity.
    • It maps the security investigation tool link to a "URL" entity.
  8. Incident Creation: If the query detects any potential ransomware activity, it automatically creates an incident for further investigation.

  9. Version and Type: This is version 1.0.0 of the rule, and it is a "Scheduled" type, meaning it runs automatically at specified intervals.

Overall, this query helps in early detection and response to potential ransomware threats on Google Drive by pausing file syncing and alerting security teams to investigate further.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleDriveRansomwareUserEndpointFilesAccountURL

Operators

whereorendswithtostring=~extendproject

Severity

High

Tactics

Impact

MITRE Techniques

Frequency: 10m

Period: 1h

Actions

GitHub