detection.wiki

Detection rules › Sigma

Suspicious Login Activity Classified By Google

Status
experimental
Severity
medium
Log source
product gcp, service google_workspace.login
Author
Tom Kluter
Source
github.com/SigmaHQ/sigma

Detects Google Workspace login activity that's classified as suspicious by Google.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.004 Valid Accounts: Cloud Accounts
PersistenceT1078.004 Valid Accounts: Cloud Accounts
Privilege EscalationT1078.004 Valid Accounts: Cloud Accounts
StealthT1078.004 Valid Accounts: Cloud Accounts

Event coverage

ProviderEventTitle
GoogleWorkspace-loginsuspicious_loginSuspicious Login
GoogleWorkspace-loginsuspicious_login_less_secure_appSuspicious Login (Less Secure App)
GoogleWorkspace-loginsuspicious_programmatic_loginSuspicious Programmatic Login

Rule body yaml

title: Suspicious Login Activity Classified By Google
id: 38360161-76c4-4283-842e-efcf997dafc8
status: experimental
description: Detects Google Workspace login activity that's classified as suspicious by Google.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.Servicename: 'login.googleapis.com'
        protoPayload.metadata.event.eventName:
            - 'suspicious_login_less_secure_app'
            - 'suspicious_login'
            - 'suspicious_programmatic_login'
    condition: selection
falsepositives:
    - Legitimate logins
level: medium

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    protoPayload.Servicename: 'login.googleapis.com'
    protoPayload.metadata.event.eventName:
        - 'suspicious_login_less_secure_app'
        - 'suspicious_login'
        - 'suspicious_programmatic_login'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
protoPayload.Servicenameeq
  • login.googleapis.com
protoPayload.metadata.event.eventNameeq
  • suspicious_login
  • suspicious_login_less_secure_app
  • suspicious_programmatic_login