Token / OAuth GoogleWorkspace-token

6 operations, identified by eventName in the audit log.

eventName	Description
any	Source-only rules that filter on applicationName 'token' without specifying an eventName attribute here.
authorize	A user or service authorized an OAuth token for a third-party application.
revoke	An OAuth token granted to a third-party application was revoked.
activity	An OAuth-authorized application performed an API activity.
deny	An OAuth token authorization request was denied.
request	An OAuth token authorization was requested by a third-party application.

any: Token / OAuth (any event)

Application: GoogleWorkspace-token

Description

Source-only rules that filter on applicationName 'token' without specifying an eventName attribute here.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Reports API: token activity events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token
Reports API activities.list reference https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list

authorize: Authorize OAuth Token

Application: GoogleWorkspace-token

Description

A user or service authorized an OAuth token for a third-party application.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`authorize`	3 rules	elastic
`EventType`	eq	`copy`	1 rule	elastic
`gws::token_client_id`	ends_with	`apps.googleusercontent.com`	2 rules	elastic
`gws::device_account_state`	eq	`REGISTERED`	1 rule	elastic
`source.as.number`	in	`204957`	1 rule	elastic
`source.as.number`	in	`215540`	1 rule	elastic
`source.as.number`	in	`29802`	1 rule	elastic
`source.as.number`	in	`395092`	1 rule	elastic
`source.as.number`	in	`45102`	1 rule	elastic
`source.as.number`	in	`62240`	1 rule	elastic
`source.as.number`	in	`9009`	1 rule	elastic
`source.as.number`	is_not_null		1 rule	elastic
`user.email`	is_not_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

First Time Seen Google Workspace OAuth Login from Third-Party Application source medium: Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.
Google Workspace Device Registration After OAuth from Suspicious ASN source high: Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.
Google Workspace User Login with Unusual ASN source low: Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.

Show 1 more (4 total)

Google Workspace Object Copied to External Drive with App Consent source medium: Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.

References #

Token Activity Events reference https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token

revoke: Revoke OAuth Token

Application: GoogleWorkspace-token

Description

An OAuth token granted to a third-party application was revoked.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Token Activity Events reference https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token

activity: Token Activity

Application: GoogleWorkspace-token

Description

An OAuth-authorized application performed an API activity.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Token Activity Events reference https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token

deny: Deny OAuth Token

Application: GoogleWorkspace-token

Description

An OAuth token authorization request was denied.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Token Activity Events reference https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token

request: Request OAuth Token

Application: GoogleWorkspace-token

Description

An OAuth token authorization was requested by a third-party application.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Token Activity Events reference https://developers.google.com/workspace/admin/reports/v1/appendix/activity/token

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Token / OAuth GoogleWorkspace-token

any: Token / OAuth (any event)

Description

Fields #

References #

authorize: Authorize OAuth Token

Description

Fields #

Common Indicators #

Detection Rules #

Elastic #

References #

revoke: Revoke OAuth Token

Description

Fields #

References #

activity: Token Activity

Description

Fields #

References #

deny: Deny OAuth Token

Description

Fields #

References #

request: Request OAuth Token

Description

Fields #

References #

Keyboard shortcuts

Search operators