Google Workspace Device Registration After OAuth from Suspicious ASN

  1[metadata]
  2creation_date = "2026/05/15"
  3integration = ["google_workspace"]
  4maturity = "production"
  5updated_date = "2026/05/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a
 11high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state
 12REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or
 13residential-proxy infrastructure after a user authorizes a sensitive client.
 14"""
 15false_positives = [
 16    """
 17    Users on VPNs, carrier NAT, or cloud egress that map to flagged ASNs may match. Legitimate bulk enrollment or
 18    scripted onboarding that uses the same OAuth client can also produce the sequence. Baseline `source.as.organization.name`
 19    and successful registration sources before adding exclusions.
 20    """,
 21]
 22from = "now-15m"
 23index = ["logs-google_workspace*"]
 24interval = "5m"
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Google Workspace Device Registration After OAuth from Suspicious ASN"
 28note = """## Triage and analysis
 29
 30### Investigating Google Workspace Device Registration After OAuth from Suspicious ASN
 31
 32Review `user.name`, `user.email`, `source.ip`, `source.as.organization.name`, `google_workspace.token.client.id`,
 33`google_workspace.token.app_name`, and device fields on the second event (for example device display name or ID if
 34present in your schema).
 35
 36Confirm whether the user intentionally registered a device and whether the OAuth client and ASN are expected for your
 37mobile device management or enrollment program.
 38
 39### Possible investigation steps
 40
 41- Correlate both events on `user.name` and timestamps to confirm the sequence is a single enrollment story.
 42- Revoke or audit OAuth grants for the client if the authorization was not expected.
 43- Search for additional `google_workspace.device` registrations from the same ASN in the same period.
 44
 45### Response and remediation
 46
 47- If malicious, remove the unauthorized device from the Google Admin console, reset the user password, and revoke
 48  active sessions and tokens per incident policy.
 49- Restrict device registration and review OAuth app access policies.
 50
 51## Setup
 52
 53The Google Workspace Fleet integration or Filebeat Google Workspace module must ingest `google_workspace.token` and
 54`google_workspace.device` audit streams.
 55
 56### Event lag
 57
 58Google Workspace audit data can lag minutes to days behind real time. If sequences are missed, increase `from` and
 59lower the integration poll interval per Google and Elastic documentation.
 60"""
 61references = [
 62    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
 63    "https://support.google.com/a/answer/7061566",
 64]
 65risk_score = 73
 66rule_id = "012bfca7-45cb-4507-a3ba-3777167f8b81"
 67severity = "high"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: Google Workspace",
 71    "Use Case: Threat Detection",
 72    "Tactic: Persistence",
 73    "Tactic: Initial Access",
 74    "Threat: Tycoon2FA",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81sequence by user.name with maxspan=30s
 82  [iam where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and
 83      google_workspace.token.client.id == "77185425430.apps.googleusercontent.com" and
 84      source.as.number in (9009, 45102, 215540, 29802, 62240, 204957, 395092)]
 85  [any where data_stream.dataset == "google_workspace.device" and google_workspace.device.account_state == "REGISTERED"]
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1098"
 94name = "Account Manipulation"
 95reference = "https://attack.mitre.org/techniques/T1098/"
 96
 97[[rule.threat.technique.subtechnique]]
 98id = "T1098.005"
 99name = "Device Registration"
100reference = "https://attack.mitre.org/techniques/T1098/005/"
101
102[rule.threat.tactic]
103id = "TA0003"
104name = "Persistence"
105reference = "https://attack.mitre.org/tactics/TA0003/"
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109
110[[rule.threat.technique]]
111id = "T1566"
112name = "Phishing"
113reference = "https://attack.mitre.org/techniques/T1566/"
114
115[[rule.threat.technique.subtechnique]]
116id = "T1566.002"
117name = "Spearphishing Link"
118reference = "https://attack.mitre.org/techniques/T1566/002/"
119
120[rule.threat.tactic]
121id = "TA0001"
122name = "Initial Access"
123reference = "https://attack.mitre.org/tactics/TA0001/"