Google Workspace

Subscribe
Download 151
Last updated Apr 29, 2025

Google Drive Mass Download Detection

Detects when a user downloads a large number of Google Drive files from outside the corporate network.

Query

Detects when documents shared internally (shared_internally, public_in_the_domain, people_within_domain_with_link) are massively downloaded from an IP address outside the “corporate network range.” Flag as suspicious when at least 10 documents are downloaded, and the number of downloads is significantly higher compared to other users.

table from=$("from") to=$("to") *:GOOGLE_DRIVE 
| search action == "download" and isnotnull(src_ip) and in(visibility, "shared_internally", "public_in_the_domain", "people_within_domain_with_link") 
| matchnet guid="bb994ca4-1471-4b91-89f2-99a61bd529b5" field=src_ip invert=t 
| join user 
    [ 
    table from=$("from") to=$("to") *:GOOGLE_DRIVE 
    | search action == "download" and isnotnull(src_ip) and in(visibility, "shared_internally", "public_in_the_domain", "people_within_domain_with_link") 
    | matchnet guid="bb994ca4-1471-4b91-89f2-99a61bd529b5" field=src_ip invert=t 
    | stats values(doc_title) as doc_title, count, dc(doc_id) as doc_count, values(src_ip) as src_ip by user 
    | lof eps=0.1 doc_count 
    | search doc_count >= 10 and _lof >= 1.5 | fields user ]

Message

  • Google Drive document externally accessed: User $user, Document $doc_title

Output Field Order

  • _log_time, type, src_ip, user, action, doc_id, doc_type, doc_title, old_visibility, visibility, owner, is_primary_event, is_encrypted, is_team_drive, is_shared_drive, is_billable, originating_app_id, originating_app_name, params

Threat Analysis

  • Mass downloads of documents shared within the organization (internal sharing, domain-wide, or accessible via link) from external networks strongly indicate potential internal data exfiltration.
  • Especially when one user downloads an abnormally large number of files within a short time compared to others, it may suggest account compromise (phishing, credential stuffing, etc.) or unauthorized mass extraction by an insider.
  • Attackers often disguise themselves as legitimate users accessing from external networks, making it difficult to distinguish based solely on access logs. Detection relies on analyzing download patterns and abnormal volumes.

False Positive Cases

  • If corporate public IP ranges are missing from the “corporate network range group,” legitimate corporate access may be incorrectly classified as external.
  • Employees working remotely (business trips, telework, WFH) may legitimately download many files from external networks.
  • Bulk downloads may also occur as part of legitimate business operations (e.g., project migration, large-scale document review), in which case the activity may be policy-approved.

Response Actions

  • IP Management: Keep the list of corporate public IP addresses up to date in the “corporate network range group” to minimize unnecessary false positives.
  • Abnormal Behavior Verification: Security teams should immediately review flagged user activity, cross-checking with MFA logs, login locations, and device information to assess account compromise risk.
  • Policy/Business Exception Handling: When mass downloads are essential for work, establish exception policies or approval workflows for relevant users or departments.
  • Post-Incident Actions: If account compromise is suspected, enforce immediate password reset, forced session termination, and additional authentication steps. Conduct user interviews and verify the purpose of access if needed.
  • Continuous Monitoring: Beyond single detection events, track repeated patterns by the same user or IP to identify long-term data exfiltration attempts.

MITRE ATT&CK