Query Details

GWS - Mobile Device Compromised

GWS Alerts Device Compromised

Query

GWSAlerts_CL
| where Source == "Mobile device management"
     or AlertDataType endswith "DeviceCompromised"
     or AlertType has "Device compromised"
| extend User = tostring(AlertData.email),
         DeviceId = tostring(AlertData.deviceId),
         DeviceModel = tostring(AlertData.deviceModel)
| project TimeGenerated, AlertId, MetadataSeverity, AlertType,
          User, DeviceId, DeviceModel, SecurityInvestigationToolLink, AlertData

Explanation

This query is part of a scheduled alert system designed to identify and respond to compromised mobile devices within a Google Workspace environment. Here's a simplified breakdown:

  • Purpose: The query detects mobile devices flagged as compromised by the Workspace Mobile Device Management (MDM) system. This includes devices that are rooted, jailbroken, or infected with malware, which could impact Workspace data security.

  • Severity: The alert is classified as "High" severity, indicating a significant security concern.

  • Data Source: It uses data from the "GoogleWorkspaceDefinition" connector, specifically looking at "GWSAlerts_CL" data type.

  • Frequency and Duration: The query runs every 30 minutes and looks back over the past 2 hours to identify any new alerts.

  • Trigger Conditions: An alert is triggered if there is more than 0 (i.e., at least one) compromised device detected.

  • Tactics and Techniques: The alert is associated with tactics like "Initial Access" and "Persistence," and techniques such as "T1078.004" (Access Token Manipulation) and "T1474" (Supply Chain Compromise).

  • Query Logic: The query filters alerts from the "GWSAlerts_CL" table where the source is "Mobile device management" or the alert type indicates a device compromise. It extracts relevant information such as the user's email, device ID, and device model.

  • Entity Mappings: It maps the user information to an "Account" entity and the device ID to a "Host" entity for further investigation.

  • Incident Creation: If the query conditions are met, it automatically creates a security incident for further investigation.

  • Version and Type: This is version 1.0.0 of the query, and it is a "Scheduled" type, meaning it runs at regular intervals.

Overall, this query is part of a proactive security measure to quickly identify and respond to potential threats from compromised mobile devices in a Google Workspace environment.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

MobileDeviceManagementUserAccountHostSecurityInvestigationToolAlertData

Operators

whereorendswithhasextendtostringproject

Severity

High

Tactics

InitialAccessPersistence

MITRE Techniques

Frequency: 30m

Period: 2h

Actions

GitHub