Google Workspace data export created
Description
AlphaSOC detected an audit event where the eventName begins with
CUSTOMER_TAKEOUT_, indicating a customer data export (takeout) operation was
initiated. Legitimate use cases include user-requested data export or
administrative compliance exports; however, attackers can abuse takeout to
perform bulk data exfiltration of user mail, Drive, and other content.
Impact
A successful data export enables a large-scale exfiltration of user and organizational data, potentially including sensitive documents, emails, and configuration information. Exported archives can be downloaded and transferred off-network for further exploitation or disclosure.
Severity
| Severity | Condition |
|---|---|
Medium | Google Workspace data export created |
Investigation and Remediation
Examine the CUSTOMER_TAKEOUT_* event details in audit logs to identify the
initiating account, target users, and associated IPs. Validate whether the
export was authorized and expected; check for concurrent suspicious activity
such as recent credential changes or abnormal admin logins. If unauthorized,
revoke any issued export links, rotate credentials for implicated accounts, and
investigate the exported artifacts (if retrievable). Implement stricter controls
for takeout operations, require multi-approver workflows, and alert on bulk or
cross-domain exports.