Query Details
GWS Alerts Cross Identity Entra Correlation
Query
id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a0a
name: GWS Alerts - Cross-Tenant Correlation with Sentinel UEBA / Sign-in Logs
description: |
Pivots Workspace Alert Center alerts against Entra ID sign-ins for the same
user (matched on UPN). Detects cross-IdP credential reuse and federated
identity abuse - e.g., Workspace alert + Entra anomalous sign-in for the same
identity in a short window.
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1078.004
query: |
let gws =
GWSAlerts_CL
| where TimeGenerated > ago(7d)
| where Source has_any ("Google identity", "Mobile device management")
or AlertType has_any ("Suspicious login", "Leaked password",
"Device compromised")
| extend User = tolower(tostring(AlertData.email))
| project GWSTime = TimeGenerated, User, GWSAlertType = AlertType,
GWSAlertId = AlertId, GWSLink = SecurityInvestigationToolLink;
let entra =
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType != 0 or RiskLevelDuringSignIn in ("medium", "high")
| extend User = tolower(UserPrincipalName)
| project EntraTime = TimeGenerated, User, EntraApp = AppDisplayName,
EntraIp = IPAddress, EntraRisk = RiskLevelDuringSignIn,
EntraResult = ResultType;
gws
| join kind=inner entra on User
| where abs(datetime_diff('minute', GWSTime, EntraTime)) <= 60
| project GWSTime, EntraTime, User, GWSAlertType, EntraApp, EntraIp,
EntraRisk, EntraResult, GWSAlertId, GWSLink
| order by GWSTime desc
tags:
- GoogleWorkspace
- EntraID
- CrossIdentity
Explanation
This query is designed to detect suspicious activities by correlating alerts from Google Workspace with sign-in logs from Azure Active Directory (Entra ID) for the same user. Here's a simplified breakdown:
-
Data Sources: It uses data from two sources:
- Google Workspace Alerts: Specifically looking for alerts related to suspicious logins, leaked passwords, or compromised devices.
- Azure Active Directory Sign-in Logs: Focusing on sign-ins that were unsuccessful or had medium to high risk levels.
-
Time Frame: The query examines data from the past 7 days.
-
User Matching: It matches users by their email or user principal name, ensuring the comparison is case-insensitive.
-
Cross-Referencing: It looks for instances where a Google Workspace alert and an Azure sign-in event occur for the same user within a 60-minute window.
-
Output: The results include details such as the time of each event, user information, alert types, application names, IP addresses, risk levels, and links to further investigation tools.
-
Purpose: The goal is to identify potential cross-identity credential reuse or abuse, such as when a user's credentials are used across different identity providers (IdPs) in a suspicious manner.
-
Security Focus: It targets tactics like initial access and credential access, with techniques related to valid accounts and single sign-on abuse.
Overall, this query helps security teams identify and investigate potential security incidents involving user accounts across different platforms.
Details
David Alonso
Released: May 7, 2026
Tables
Keywords
Operators