Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
Sigma rule (View on GitHub)
1title: Suspicious Login Activity Classified By Google
2id: 38360161-76c4-4283-842e-efcf997dafc8
3status: experimental
4description: Detects Google Workspace login activity that's classified as suspicious by Google.
5references:
6 - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
7 - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
8 - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
9 - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
10 - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
11author: Tom Kluter
12date: 2026-04-28
13tags:
14 - attack.initial-access
15 - attack.privilege-escalation
16 - attack.persistence
17 - attack.stealth
18 - attack.t1078.004
19logsource:
20 product: gcp
21 service: google_workspace.login
22detection:
23 selection:
24 protoPayload.Servicename: 'login.googleapis.com'
25 protoPayload.metadata.event.eventName:
26 - 'suspicious_login_less_secure_app'
27 - 'suspicious_login'
28 - 'suspicious_programmatic_login'
29 condition: selection
30falsepositives:
31 - Legitimate logins
32level: medium
References
-
This document provides a conceptual overview of the audit logs that Google Workspace provides as a part of Cloud Audit Logs. For information about managing your Google Workspace audit logs, see Vie...
Read More -
This page describes Cloud Audit Logs log entries in detail: their structure, how to read them, and how to interpret them. Cloud Audit Logs provides the following audit logs for each Google Cloud pr...
Read More -
This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login. Login Audit ac...
Read More -
This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login. Login Audit ac...
Read More -
This document lists the events and parameters for various types of Login Audit activity events. You can retrieve these events by calling Activities.list() with applicationName=login. Login Audit ac...
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity