Google Workspace Device Registration After OAuth from Suspicious ASN

Status: production
Severity: high
Time window: 30s
Sequence by: user.name
Author: Elastic
Source: github.com/elastic/detection-rules

Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1566.002` Phishing: Spearphishing Link
Persistence	`T1098.005` Account Manipulation: Device Registration

Event coverage

Provider	Event	Title
GoogleWorkspace-token	authorize	Authorize OAuth Token

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body elastic

[metadata]
creation_date = "2026/05/15"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2026/05/15"

[rule]
author = ["Elastic"]
description = """
Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a
high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state
REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or
residential-proxy infrastructure after a user authorizes a sensitive client.
"""
false_positives = [
    """
    Users on VPNs, carrier NAT, or cloud egress that map to flagged ASNs may match. Legitimate bulk enrollment or
    scripted onboarding that uses the same OAuth client can also produce the sequence. Baseline `source.as.organization.name`
    and successful registration sources before adding exclusions.
    """,
]
from = "now-15m"
index = ["logs-google_workspace*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Google Workspace Device Registration After OAuth from Suspicious ASN"
note = """## Triage and analysis

### Investigating Google Workspace Device Registration After OAuth from Suspicious ASN

Review `user.name`, `user.email`, `source.ip`, `source.as.organization.name`, `google_workspace.token.client.id`,
`google_workspace.token.app_name`, and device fields on the second event (for example device display name or ID if
present in your schema).

Confirm whether the user intentionally registered a device and whether the OAuth client and ASN are expected for your
mobile device management or enrollment program.

### Possible investigation steps

- Correlate both events on `user.name` and timestamps to confirm the sequence is a single enrollment story.
- Revoke or audit OAuth grants for the client if the authorization was not expected.
- Search for additional `google_workspace.device` registrations from the same ASN in the same period.

### Response and remediation

- If malicious, remove the unauthorized device from the Google Admin console, reset the user password, and revoke
  active sessions and tokens per incident policy.
- Restrict device registration and review OAuth app access policies.

## Setup

The Google Workspace Fleet integration or Filebeat Google Workspace module must ingest `google_workspace.token` and
`google_workspace.device` audit streams.

### Event lag

Google Workspace audit data can lag minutes to days behind real time. If sequences are missed, increase `from` and
lower the integration poll interval per Google and Elastic documentation.
"""
references = [
    "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
    "https://support.google.com/a/answer/7061566",
]
risk_score = 73
rule_id = "012bfca7-45cb-4507-a3ba-3777167f8b81"
severity = "high"
tags = [
    "Domain: Cloud",
    "Data Source: Google Workspace",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Tactic: Initial Access",
    "Threat: Tycoon2FA",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence by user.name with maxspan=30s
  [iam where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and
      google_workspace.token.client.id == "77185425430.apps.googleusercontent.com" and
      source.as.number in (9009, 45102, 215540, 29802, 62240, 204957, 395092)]
  [any where data_stream.dataset == "google_workspace.device" and google_workspace.device.account_state == "REGISTERED"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.005"
name = "Device Registration"
reference = "https://attack.mitre.org/techniques/T1098/005/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"

[[rule.threat.technique.subtechnique]]
id = "T1566.002"
name = "Spearphishing Link"
reference = "https://attack.mitre.org/techniques/T1566/002/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

Stages and Predicates

Ordered sequence: each step below must occur in order within 30s, correlated by user.name.

Stage 1: `iam`

[iam where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and
      google_workspace.token.client.id == "77185425430.apps.googleusercontent.com" and
      source.as.number in (9009, 45102, 215540, 29802, 62240, 204957, 395092)]

Stage 2: `any`

[any where data_stream.dataset == "google_workspace.device" and google_workspace.device.account_state == "REGISTERED"]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`google_workspace.device` `google_workspace.token`
`event.action`	eq	`authorize`
`google_workspace.device.account_state`	eq	`REGISTERED`
`google_workspace.token.client.id`	eq	`77185425430.apps.googleusercontent.com`
`source.as.number`	in	`204957` `215540` `29802` `395092` `45102` `62240` `9009`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Google Workspace Device Registration After OAuth from Suspicious ASN

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `iam`

Stage 2: `any`

Indicators

Keyboard shortcuts

Search operators

Google Workspace Device Registration After OAuth from Suspicious ASN

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: iam

Stage 2: any

Indicators

Stage 1: `iam`

Stage 2: `any`