Query Details
GWS Alerts Device Compromised
Query
id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f09
name: GWS - Mobile Device Compromised
description: |
Workspace MDM flagged a managed mobile device as compromised (e.g., rooted/jailbroken,
malware-infected). Treat as endpoint compromise impacting Workspace data.
severity: High
status: Available
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
queryFrequency: 30m
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
relevantTechniques:
- T1078.004
- T1474
query: |
GWSAlerts_CL
| where Source == "Mobile device management"
or AlertDataType endswith "DeviceCompromised"
or AlertType has "Device compromised"
| extend User = tostring(AlertData.email),
DeviceId = tostring(AlertData.deviceId),
DeviceModel = tostring(AlertData.deviceModel)
| project TimeGenerated, AlertId, MetadataSeverity, AlertType,
User, DeviceId, DeviceModel, SecurityInvestigationToolLink, AlertData
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceId
incidentConfiguration:
createIncident: true
version: 1.0.0
kind: Scheduled
Explanation
This query is part of a scheduled alert system designed to identify and respond to compromised mobile devices within a Google Workspace environment. Here's a simplified breakdown:
-
Purpose: The query detects mobile devices flagged as compromised by the Workspace Mobile Device Management (MDM) system. This includes devices that are rooted, jailbroken, or infected with malware, which could impact Workspace data security.
-
Severity: The alert is classified as "High" severity, indicating a significant security concern.
-
Data Source: It uses data from the "GoogleWorkspaceDefinition" connector, specifically looking at "GWSAlerts_CL" data type.
-
Frequency and Duration: The query runs every 30 minutes and looks back over the past 2 hours to identify any new alerts.
-
Trigger Conditions: An alert is triggered if there is more than 0 (i.e., at least one) compromised device detected.
-
Tactics and Techniques: The alert is associated with tactics like "Initial Access" and "Persistence," and techniques such as "T1078.004" (Access Token Manipulation) and "T1474" (Supply Chain Compromise).
-
Query Logic: The query filters alerts from the "GWSAlerts_CL" table where the source is "Mobile device management" or the alert type indicates a device compromise. It extracts relevant information such as the user's email, device ID, and device model.
-
Entity Mappings: It maps the user information to an "Account" entity and the device ID to a "Host" entity for further investigation.
-
Incident Creation: If the query conditions are met, it automatically creates a security incident for further investigation.
-
Version and Type: This is version 1.0.0 of the query, and it is a "Scheduled" type, meaning it runs at regular intervals.
Overall, this query is part of a proactive security measure to quickly identify and respond to potential threats from compromised mobile devices in a Google Workspace environment.
Details
David Alonso
Released: May 7, 2026
Tables
Keywords
Operators