I've onboarded Google's Workspace audit logging for Panther, and I want to build a detection which alerts me when a user modifies a drive document. Is that possible?
Using Google's Workspace logs, it's possible to detect when a document is edited, but note that it is not possible to discern what the document content is, or if/how the content was changed. Google does not include document content information in it's audit events, and therefore Panther doesn't receive any information about document contents.
You can detect that a document was altered using the Google Drive edit event - this event contains information on the document, including metadata, but doesn't contain any data on the contents.
I've onboarded Google's Workspace audit logging for Panther, and I want to build a detection which alerts me when a user modifies a drive document. Is that possible?
Using Google's Workspace logs, it's possible to detect when a document is edited, but note that it is not possible to discern what the document content is, or if/how the content was changed. Google does not include document content information in it's audit events, and therefore Panther doesn't receive any information about document contents.
You can detect that a document was altered using the Google Drive edit event - this event contains information on the document, including metadata, but doesn't contain any data on the contents.