Detection rules › Panther
Google Workspace Login Type Anomaly
Alerts when users authenticate with login types they haven't used in the past 30 days. This may indicate GAIA credential theft where attackers use stolen OAuth tokens with different authentication methods (e.g., google_password instead of SAML). Particularly suspicious when a user who normally uses SSO/SAML suddenly authenticates via password.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.004 Valid Accounts: Cloud Accounts |
| Persistence | T1078.004 Valid Accounts: Cloud Accounts |
| Privilege Escalation | T1078.004 Valid Accounts: Cloud Accounts |
| Stealth | T1078.004 Valid Accounts: Cloud Accounts |
| Lateral Movement | T1550 Use Alternate Authentication Material |
Rule body yaml
AnalysisType: scheduled_rule
DisplayName: "Google Workspace Login Type Anomaly"
DedupPeriodMinutes: 360
RuleID: "Google.Workspace.Login.Type.Anomaly"
Description: >
Alerts when users authenticate with login types they haven't used in the past 30 days.
This may indicate GAIA credential theft where attackers use stolen OAuth tokens with
different authentication methods (e.g., google_password instead of SAML). Particularly
suspicious when a user who normally uses SSO/SAML suddenly authenticates via password.
ScheduledQueries:
- Google Workspace Login Type Anomaly
Enabled: false
Filename: gsuite_login_type_anomaly_rule.py
Reference: https://businessinsights.bitdefender.com/the-chain-reaction-new-methods-for-extending-local-breaches-in-google-workspace
Runbook: |
1. Query GSuite.ActivityEvent for all login events by the user email in the 24 hours before and after the alert to identify login patterns, IP addresses used, and the context around the anomalous login_type
2. Check if the source IP addresses from recent logins are associated with known VPN services, cloud providers, or corporate network ranges, and compare to the user's typical login locations in the past 30 days
3. Search for other authentication anomalies or alerts for this user in the past 7 days, including failed logins, OAuth token authorizations, password changes, or suspicious activity warnings
Severity: Medium
Tags:
- GSuite
- Lateral Movement
- Valid Accounts
- GAIA
Reports:
MITRE ATT&CK:
- TA0008:T1078.004
- TA0006:T1550
SummaryAttributes:
- email
Tests:
- Name: User with anomalous google_password login
ExpectedResult: true
Log:
email: user@example.com
login_type: google_password
ipAddress: 1.1.1.1
- Name: User with anomalous exchange login
ExpectedResult: true
Log:
email: user@example.com
login_type: exchange
ipAddress: 1.1.1.1
Detection logic
Filter
import re
def normalize_username(email):
if not email:
return None
username = email.split("@")[0] if "@" in email else email
return re.sub(r"[^a-z0-9]", "", username.lower())
def rule(_):
return True
def title(event):
user = event.get("email", "<UNKNOWN_USER>")
login_type = event.get("login_type", "<UNKNOWN_TYPE>")
return f"Google Workspace: User [{user}] used anomalous login type [{login_type}]"
def severity(event):
login_type = event.get("login_type", "")
if login_type == "google_password":
return "HIGH"
return "MEDIUM"
def alert_context(event):
email = event.get("email")
return {
"user_email": email,
"username_normalized": normalize_username(email),
"anomalous_login_type": event.get("login_type"),
"ip_address": event.get("ipAddress"),
"description": ("User authenticated with a login type not seen in the previous 30 days"),
}
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
user_email | email |
anomalous_login_type | login_type |
ip_address | ipAddress |