Google Workspace

Subscribe
Download 151
Last updated Apr 29, 2025

Google Drive Document Shared Externally

Detects when a user changes the visibility of a Google Drive document to be accessible externally.

Query

Detect in real time when the Google Drive Activity action type is change_document_visibility and the parameter visibility_change is set to external. The visibility_change parameter has three possible values: none, internal, and external. external means that a document previously restricted to internal access has been changed to be accessible externally.

| search action == "change_document_visibility"
| eval visibility_change = strjoin("", foreach(if(valueof(_1, "name") == "visibility_change", valueof(_1, "value"), ""), params))
| search visibility_change == "external"

Message

  • Google Drive Document Publicly Shared Externally: User $user, Document $doc_title

Output field order

  • _log_time, type, src_ip, user, action, doc_id, doc_type, doc_title, old_visibility, visibility, owner, is_primary_event, is_encrypted, is_team_drive, is_shared_drive, is_billable, originating_app_id, originating_app_name, params

Threat Analysis

  • If a document created for internal use is changed to be externally accessible, confidential information (e.g., customer data, internal strategy, financial information, etc.) may be leaked outside the organization. This is a major cause of data loss incidents (DLP, Data Loss Prevention).
  • This can happen either accidentally by a user or intentionally by an insider sharing documents with external parties. Particularly, if the setting is changed to “Anyone with the link,” the risk arises that people outside the organization can access the document.

False Positive Types

  • When a document is intentionally shared for external collaboration (e.g., with customers, external partners, contractors, etc.), such sharing may be considered normal usage. In this case, even though an alert is triggered as “external sharing,” it may not represent an actual threat.

Response Actions

  • Review the alert details and identify the modified document and the user.
  • Examine the document to determine whether it contains confidential information and assess the risk of external access.
  • If the document contains confidential data, immediately change the sharing settings back to internal-only to prevent unnecessary external access.
  • Confirm the reason for the change with the user. If account compromise is suspected, reset the password and terminate active sessions.
  • Investigate whether similar changes have occurred by the same user or within the same project, and implement preventive measures to avoid recurrence.

MITRE ATT&CK

References