KQL Search

Query Details

GWS Alerts First Seen Per User

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a07
name: GWS Alerts - First-Seen Alert Types Per User (Anomaly Hunt)
description: |
  Surfaces (User, AlertType) pairs that have never been observed in the tenant
  before within the chosen baseline window. New alert categories on a user are
  worth a manual look.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - Discovery
query: |
  let baseline = 60d;
  let recent   = 1d;
  let historical =
      GWSAlerts_CL
      | where TimeGenerated between (ago(baseline) .. ago(recent))
      | extend User = tostring(AlertData.email)
      | distinct User, AlertType;
  GWSAlerts_CL
  | where TimeGenerated > ago(recent)
  | extend User = tostring(AlertData.email)
  | join kind=leftanti historical on User, AlertType
  | project TimeGenerated, AlertId, User, Source, AlertType, MetadataSeverity,
            SecurityInvestigationToolLink
  | order by TimeGenerated desc
tags:
  - GoogleWorkspace
  - Anomaly
  - Discovery

Explanation

This query is designed to identify new alert types associated with users in a Google Workspace environment that have not been seen before within a specified time frame. Here's a simple breakdown:

  1. Purpose: The query aims to find pairs of users and alert types that are new or have not been observed in the past within a given baseline period. This can help in identifying unusual or potentially suspicious activities that warrant further investigation.

  2. Data Source: It uses data from Google Workspace alerts (GWSAlerts_CL).

  3. Time Frames:

    • Baseline Period: 60 days (historical data).
    • Recent Period: 1 day (current data).

  4. Process:

    • Historical Data: It first gathers distinct combinations of users and alert types from the past 60 days.
    • Recent Data: It then looks at the alert data from the last day.
    • Comparison: The query compares the recent data against the historical data to find user-alert type combinations that are new (i.e., not present in the historical data).

  5. Output: The results include details such as the time the alert was generated, alert ID, user, source, alert type, severity, and a link to the security investigation tool. The results are sorted by the time the alert was generated, in descending order.

  6. Use Case: This is useful for anomaly detection, specifically for discovering new alert types associated with users, which could indicate new or unexpected behavior that might require a closer look.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

UserAlertTypeTimeGeneratedAlertIdSourceMetadataSeveritySecurityInvestigationToolLinkGoogleWorkspaceAnomalyDiscovery

Operators

letbetweenagoextendtostringdistinctwherejoinonprojectorder bydesc

Actions