Merge PR #5409 from @Luke57 - Add New Google Workspace Related Rules

new: Google Workspace Government Attack Warning new: Google Workspace Out Of Domain Email Forwarding new: Suspicious Login Activity Classified By Google --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2026-04-28 02:48:14 +02:00
parent af0d09b2cf
commit c8f207d390
11 changed files with 84 additions and 1 deletions
@@ -0,0 +1,28 @@
+title: Google Workspace Government Attack Warning
+id: eafe6f2b-cfec-4612-aec2-49563c33a087
+status: experimental
+description: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
+    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning
+author: Tom Kluter
+date: 2026-04-28
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.initial-access
+    - attack.impact
+    - attack.t1078
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.serviceName: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName: 'gov_attack_warning'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: Google Workspace Out Of Domain Email Forwarding
+id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
+status: experimental
+description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
+references:
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
+author: Tom kluter
+date: 2026-04-28
+tags:
+    - attack.t1114.003
+    - attack.collection
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.serviceName: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
+    condition: selection
+falsepositives:
+    - Legitimate forwarding
+level: medium
@@ -0,0 +1,32 @@
+title: Suspicious Login Activity Classified By Google
+id: 38360161-76c4-4283-842e-efcf997dafc8
+status: experimental
+description: Detects Google Workspace login activity that's classified as suspicious by Google.
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
+    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
+    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
+author: Tom Kluter
+date: 2026-04-28
+tags:
+    - attack.initial-access
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1078.004
+logsource:
+    product: gcp
+    service: google_workspace.login
+detection:
+    selection:
+        protoPayload.Servicename: 'login.googleapis.com'
+        protoPayload.metadata.event.eventName:
+            - 'suspicious_login_less_secure_app'
+            - 'suspicious_login'
+            - 'suspicious_programmatic_login'
+    condition: selection
+falsepositives:
+    - Legitimate logins
+level: medium
@@ -339,7 +339,8 @@
            "category":{},
            "service":{
                "gcp.audit":[],
-                "google_workspace.admin":[]
+                "google_workspace.admin":[],
+                "google_workspace.login":[]
            }
        },
        "github":{