Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,731

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 3.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious Login Activity Classified By Google

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious Login Activity Classified By Google

Using Splunk · Default · sigma-cli 3.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion3.0.2
title: Suspicious Login Activity Classified By Google
id: 38360161-76c4-4283-842e-efcf997dafc8
status: experimental
description: Detects Google Workspace login activity that's classified as suspicious by Google.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1078.004
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.Servicename: 'login.googleapis.com'
        protoPayload.metadata.event.eventName:
            - 'suspicious_login_less_secure_app'
            - 'suspicious_login'
            - 'suspicious_programmatic_login'
    condition: selection
falsepositives:
    - Legitimate logins
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml