Detectionmediumexperimental

Google Workspace Government Attack Warning

Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tom KluterCreated Tue Apr 28eafe6f2b-cfec-4612-aec2-49563c33a087cloud

Log Source

Google Cloudgoogle_workspace.login

ProductGoogle Cloud← raw: gcp

Servicegoogle_workspace.login← raw: google_workspace.login

Detection Logic

detection:
    selection:
        protoPayload.serviceName: 'login.googleapis.com'
        protoPayload.metadata.event.eventName: 'gov_attack_warning'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

developers.google.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0003 · Persistence TA0001 · Initial Access TA0040 · Impact

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

eafe6f2b-cfec-4612-aec2-49563c33a087

Status

experimental

Level

medium

Type

Detection

Created

Tue Apr 28

Author

Tom Kluter

Path

rules/cloud/gcp/gworkspace/login/gcp_gworkspace_govattack.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.initial-accessattack.impactattack.t1078

View on GitHub