Detectionmediumexperimental
Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Google Cloudgoogle_workspace.login
ProductGoogle Cloud← raw: gcp
Servicegoogle_workspace.login← raw: google_workspace.login
Detection Logic
Detection Logic1 selector
detection:
selection:
protoPayload.Servicename: 'login.googleapis.com'
protoPayload.metadata.event.eventName:
- 'suspicious_login_less_secure_app'
- 'suspicious_login'
- 'suspicious_programmatic_login'
condition: selectionFalse Positives
Legitimate logins
MITRE ATT&CK
Rule Metadata
Rule ID
38360161-76c4-4283-842e-efcf997dafc8
Status
experimental
Level
medium
Type
Detection
Created
Tue Apr 28
Author
Path
rules/cloud/gcp/gworkspace/login/gcp_gworkspace_suspicious_login.yml
Raw Tags
attack.initial-accessattack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1078.004