Google Workspace Government Attack Warning
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
Sigma rule (View on GitHub)
1title: Google Workspace Government Attack Warning
2id: eafe6f2b-cfec-4612-aec2-49563c33a087
3status: experimental
4description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
7 - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
8 - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
9author: Tom Kluter
10date: 2026-04-28
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.initial-access
15 - attack.impact
16 - attack.stealth
17 - attack.t1078
18logsource:
19 product: gcp
20 service: google_workspace.login
21detection:
22 selection:
23 protoPayload.serviceName: 'login.googleapis.com'
24 protoPayload.metadata.event.eventName: 'gov_attack_warning'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
This page describes Cloud Audit Logs log entries in detail: their structure, how to read them, and how to interpret them. Cloud Audit Logs provides the following audit logs for each Google Cloud pr...
Read More -
This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login. Login Audit ac...
Read More
Related rules
- AWS Key Pair Import Activity
- AWS SAML Provider Deletion Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons