[New hunt] A sensitive canary file was accessed in Google Workspace

[brokensound77]

Description

A known sensitive canary file was accessed in Google Workspace, indicating attempts to access sensitive information or files without proper permissions.

This would require the prerequisite step of strategically naming and placing the canary files in locations that are deemed the most vulnerable (or interesting). Ideally, this would be a rule vs a hunt, however, because of the unique nature of all environments and canary naming patterns, it is not easily done via a prebuilt rule.

Where this get's really interesting - expanding beyond this rule

To take this detection even further, an accompanying OSQuery and/or YARA signature can be created to detect when the file downloaded or opened

Steps:

1. create this hunt (or better, custom rule), defining sensitive file name, path, or other criteria
2. (optionally) create an OSQuery recurring search to detect it on name or hash

SELECT * 
FROM file_events 
WHERE action = 'opened' 
AND (
    target_path IN (
        'C:\\path\\to\\your\\sensitive.doc',       -- Windows path
        '/path/to/your/sensitive.doc',               -- Linux path
        '/path/to/your/sensitive.doc'                -- macOS path
    ) 
    OR 
    sha256 = '<computed_hash_value>' 
);

3. (optionally) create an OSQuery recurring search to run a YARA scan and write a YARA signature to look for identifying patterns

Target Huntset

google_workspace

Target hunt Type

ES|QL

Query

from logs-google_workspace* 
| where file.name == "*" or file.name is not null and event.action in ("view", "download") and 
  (
    //expand to canary patterns
    file.name in ("known", "canary", "pattterns")
  )
| stats files=count(*) by file.name, user.email, event.action
| sort files asc

Related issues or PRs

No response

References

No response

Redacted Example Data

No response