sigmamediumHunting

Suspicious Login Activity Classified By Google

Detects Google Workspace login activity that's classified as suspicious by Google.

MITRE ATT&CK

initial-accessprivilege-escalationdefense-evasionpersistence

Detection Query

selection:
  protoPayload.Servicename: login.googleapis.com
  protoPayload.metadata.event.eventName:
    - suspicious_login_less_secure_app
    - suspicious_login
    - suspicious_programmatic_login
condition: selection

Author

Tom Kluter

Created

2026-04-28

Data Sources

gcpgoogle_workspace.login

Platforms

gcp

References

Tags

attack.initial-accessattack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1078.004

Raw Content

title: Suspicious Login Activity Classified By Google
id: 38360161-76c4-4283-842e-efcf997dafc8
status: experimental
description: Detects Google Workspace login activity that's classified as suspicious by Google.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1078.004
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.Servicename: 'login.googleapis.com'
        protoPayload.metadata.event.eventName:
            - 'suspicious_login_less_secure_app'
            - 'suspicious_login'
            - 'suspicious_programmatic_login'
    condition: selection
falsepositives:
    - Legitimate logins
level: medium