Detection rules › Splunk
GCP Successful Single-Factor Authentication
The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Resource Development | T1586.003 Compromise Accounts: Cloud Accounts |
| Initial Access | T1078.004 Valid Accounts: Cloud Accounts |
| Persistence | T1078.004 Valid Accounts: Cloud Accounts |
| Privilege Escalation | T1078.004 Valid Accounts: Cloud Accounts |
| Stealth | T1078.004 Valid Accounts: Cloud Accounts |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: GCP Successful Single-Factor Authentication
id: 40e17d88-87da-414e-b253-8dc1e4f9555b
version: 13
creation_date: '2022-10-14'
modification_date: '2026-05-13'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies a successful single-factor authentication event against Google Cloud Platform (GCP) for an account without Multi-Factor Authentication (MFA) enabled. It uses Google Workspace login event data to detect instances where MFA is not utilized. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to GCP resources, potentially leading to data breaches, service disruptions, or further exploitation within the cloud environment.
data_source:
- Google Workspace
search: |-
`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods`
| stats count min(_time) as firstTime max(_time) as lastTime
BY user, src_ip, login_challenge_method,
app, event.name, vendor_account,
action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gcp_successful_single_factor_authentication_filter`
how_to_implement: You must install the latest version of Splunk Add-on for Google Workspace from Splunkbase (https://splunkbase.splunk.com/app/5556) which allows Splunk administrators to collect Google Workspace event data in Splunk using Google Workspace APIs. Specifically, this analytic leverages the User log events.
known_false_positives: Although not recommended, certain users may be required without multi-factor authentication. Filter as needed
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://support.google.com/a/answer/175197?hl=en
- https://www.forbes.com/sites/daveywinder/2020/07/08/new-dark-web-audit-reveals-15-billion-stolen-logins-from-100000-breaches-passwords-hackers-cybercrime/?sh=69927b2a180f
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: Successful authentication for user $user$ without MFA
entity:
field: user
type: user
score: 50
threat_objects:
- field: src_ip
type: ip_address
analytic_story:
- GCP Account Takeover
- Scattered Lapsus$ Hunters
asset_type: Google Cloud Platform tenant
mitre_attack_id:
- T1078.004
- T1586.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log
source: gws:reports:login
sourcetype: gws:reports:login
test_type: unit
Stages and Predicates
Stage 1: search
`gws_reports_login` event.name=login_success NOT `gws_login_mfa_methods`
Stage 2: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY user, src_ip, login_challenge_method,
app, event.name, vendor_account,
action
Stage 3: search
| `security_content_ctime(firstTime)`
Stage 4: search
| `security_content_ctime(lastTime)`
Stage 5: search
| `gcp_successful_single_factor_authentication_filter`
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
event.parameters{}.multiValue{} | in | "backup_code", "google_authenticator", "google_prompt", "idv_any_phone", "idv_preregistered_phone", "internal_two_factor", "knowledge_employee_id", "knowledge_preregistered_email", "knowledge_preregistered_phone", "login_location", "offline_otp", "security_key", "security_key_otp" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.name | eq |
|
sourcetype | eq |
|