KQL Search

Query Details

GWS Alerts Drive Ransomware

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f03
name: GWS - Potential Ransomware Detected on Drive
description: |
  Google's Drive Counter-Abuse system detected mass file changes consistent with
  ransomware encryption. File syncing is auto-paused. Investigate the affected
  user, endpoint, and recently shared/downloaded files.
severity: High
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
relevantTechniques:
  - T1486
query: |
  GWSAlerts_CL
  | where Source == "Drive Counter Abuse"
       or AlertType has "ransomware"
       or (AlertDataType endswith "DriveSyncStateChanged" and tostring(AlertData.state) =~ "PAUSED")
  | extend AffectedUser = tostring(AlertData.email)
  | project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
            AffectedUser, SecurityInvestigationToolLink, AlertData
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AffectedUser
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: SecurityInvestigationToolLink
incidentConfiguration:
  createIncident: true
version: 1.0.0
kind: Scheduled

Explanation

This query is part of a scheduled detection rule designed to identify potential ransomware activity on Google Drive. Here's a simple breakdown of what it does:

  1. Purpose: The query is set up to detect mass file changes on Google Drive that are consistent with ransomware encryption. When such activity is detected, file syncing is automatically paused to prevent further damage.

  2. Severity and Status: The alert generated by this query is classified as "High" severity and is currently "Available" for use.

  3. Data Source: It uses data from Google Workspace, specifically looking at alerts related to Google Drive.

  4. Frequency and Duration: The query runs every 10 minutes and looks back over the past hour to check for any relevant alerts.

  5. Detection Logic:

    • It searches for alerts from the "Drive Counter Abuse" source.
    • It looks for alerts that mention "ransomware."
    • It checks if the Drive sync state has changed to "PAUSED," which indicates a potential ransomware threat.

  6. Output: The query extracts and displays information such as the time the alert was generated, the alert ID, severity, source, type of alert, the affected user's email, and a link to a security investigation tool.

  7. Entity Mapping:

    • It maps the affected user's email to an "Account" entity.
    • It maps the security investigation tool link to a "URL" entity.

  8. Incident Creation: If the query detects any potential ransomware activity, it automatically creates an incident for further investigation.

  9. Version and Type: This is version 1.0.0 of the rule, and it is a "Scheduled" type, meaning it runs automatically at specified intervals.

Overall, this query helps in early detection and response to potential ransomware threats on Google Drive by pausing file syncing and alerting security teams to investigate further.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleDriveRansomwareUserEndpointFilesAccountURL

Operators

whereorendswithtostring=~extendproject

Actions