Query Details

GWS Alerts - Cross-Tenant Correlation with Sentinel UEBA / Sign-in Logs

GWS Alerts Cross Identity Entra Correlation

Query

let gws =
    GWSAlerts_CL
    | where TimeGenerated > ago(7d)
    | where Source has_any ("Google identity", "Mobile device management")
         or AlertType has_any ("Suspicious login", "Leaked password",
                               "Device compromised")
    | extend User = tolower(tostring(AlertData.email))
    | project GWSTime = TimeGenerated, User, GWSAlertType = AlertType,
              GWSAlertId = AlertId, GWSLink = SecurityInvestigationToolLink;
let entra =
    SigninLogs
    | where TimeGenerated > ago(7d)
    | where ResultType != 0 or RiskLevelDuringSignIn in ("medium", "high")
    | extend User = tolower(UserPrincipalName)
    | project EntraTime = TimeGenerated, User, EntraApp = AppDisplayName,
              EntraIp = IPAddress, EntraRisk = RiskLevelDuringSignIn,
              EntraResult = ResultType;
gws
| join kind=inner entra on User
| where abs(datetime_diff('minute', GWSTime, EntraTime)) <= 60
| project GWSTime, EntraTime, User, GWSAlertType, EntraApp, EntraIp,
          EntraRisk, EntraResult, GWSAlertId, GWSLink
| order by GWSTime desc

Explanation

This query is designed to detect suspicious activities by correlating alerts from Google Workspace with sign-in logs from Azure Active Directory (Entra ID) for the same user. Here's a simplified breakdown:

  1. Data Sources: It uses data from two sources:

    • Google Workspace Alerts: Specifically looking for alerts related to suspicious logins, leaked passwords, or compromised devices.
    • Azure Active Directory Sign-in Logs: Focusing on sign-ins that were unsuccessful or had medium to high risk levels.
  2. Time Frame: The query examines data from the past 7 days.

  3. User Matching: It matches users by their email or user principal name, ensuring the comparison is case-insensitive.

  4. Cross-Referencing: It looks for instances where a Google Workspace alert and an Azure sign-in event occur for the same user within a 60-minute window.

  5. Output: The results include details such as the time of each event, user information, alert types, application names, IP addresses, risk levels, and links to further investigation tools.

  6. Purpose: The goal is to identify potential cross-identity credential reuse or abuse, such as when a user's credentials are used across different identity providers (IdPs) in a suspicious manner.

  7. Security Focus: It targets tactics like initial access and credential access, with techniques related to valid accounts and single sign-on abuse.

Overall, this query helps security teams identify and investigate potential security incidents involving user accounts across different platforms.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CLSigninLogs

Keywords

GoogleWorkspaceEntraIDUserDeviceIdentitySigninLogsAlertTypeIPAddressRiskLevelDuringSignInAppDisplayNameSecurityInvestigationToolLinkAlertIdEmail

Operators

letwhereagohas_anyextendtolowertostringprojectjoinkindonabsdatetime_difforder bydesc

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Actions

GitHub