Suspicious Login Activity Classified By Google

Original Source: [Sigma source]

Title: Suspicious Login Activity Classified By Google
Status: experimental
Description:Detects Google Workspace login activity that's classified as suspicious by Google.
References:
-https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
-https://cloud.google.com/logging/docs/audit/understanding-audit-logs
-https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
-https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
-https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
Author: Tom Kluter
Date: 2026-04-28
modified:None
Tags:

-'attack.initial-access'
-'attack.privilege-escalation'
-'attack.defense-evasion'
-'attack.persistence'
-'attack.t1078.004'

Logsource:

product: gcp
service: google_workspace.login

Detection:
selection:
protoPayload.Servicename: 'login.googleapis.com'
protoPayload.metadata.event.eventName:
-'suspicious_login_less_secure_app'
-'suspicious_login'
-'suspicious_programmatic_login'

condition:selection
Falsepositives:
-Legitimate logins
Level: medium

Sign Up to Personalize and Manage Your Detection

Suspicious Login Activity Classified By Google