Google Workspace Government Attack Warning

Original Source: [Sigma source]
Title: Google Workspace Government Attack Warning
Status: experimental
Description:Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
References:
  -https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
   -https://cloud.google.com/logging/docs/audit/understanding-audit-logs
   -https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
 Author: Tom Kluter
Date: 2026-04-28
modified:None
Tags:
  • -'attack.privilege-escalation'
  • -'attack.defense-evasion'
  • -'attack.persistence'
  • -'attack.initial-access'
  • -'attack.impact'
  • -'attack.t1078'
Logsource:
  • product: gcp
  • service: google_workspace.login
Detection:
  selection:
    protoPayload.serviceName: 'login.googleapis.com'
    protoPayload.metadata.event.eventName: 'gov_attack_warning'
  condition:selection
Falsepositives:
  -Unknown
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.