Query Details

GWS Alerts - First-Seen Alert Types Per User (Anomaly Hunt)

GWS Alerts First Seen Per User

Query

let baseline = 60d;
let recent   = 1d;
let historical =
    GWSAlerts_CL
    | where TimeGenerated between (ago(baseline) .. ago(recent))
    | extend User = tostring(AlertData.email)
    | distinct User, AlertType;
GWSAlerts_CL
| where TimeGenerated > ago(recent)
| extend User = tostring(AlertData.email)
| join kind=leftanti historical on User, AlertType
| project TimeGenerated, AlertId, User, Source, AlertType, MetadataSeverity,
          SecurityInvestigationToolLink
| order by TimeGenerated desc

Explanation

This query is designed to identify new alert types associated with users in a Google Workspace environment that have not been seen before within a specified time frame. Here's a simple breakdown:

  1. Purpose: The query aims to find pairs of users and alert types that are new or have not been observed in the past within a given baseline period. This can help in identifying unusual or potentially suspicious activities that warrant further investigation.

  2. Data Source: It uses data from Google Workspace alerts (GWSAlerts_CL).

  3. Time Frames:

    • Baseline Period: 60 days (historical data).
    • Recent Period: 1 day (current data).
  4. Process:

    • Historical Data: It first gathers distinct combinations of users and alert types from the past 60 days.
    • Recent Data: It then looks at the alert data from the last day.
    • Comparison: The query compares the recent data against the historical data to find user-alert type combinations that are new (i.e., not present in the historical data).
  5. Output: The results include details such as the time the alert was generated, alert ID, user, source, alert type, severity, and a link to the security investigation tool. The results are sorted by the time the alert was generated, in descending order.

  6. Use Case: This is useful for anomaly detection, specifically for discovering new alert types associated with users, which could indicate new or unexpected behavior that might require a closer look.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

UserAlertTypeTimeGeneratedAlertIdSourceMetadataSeveritySecurityInvestigationToolLinkGoogleWorkspaceAnomalyDiscovery

Operators

letbetweenagoextendtostringdistinctwherejoinonprojectorder bydesc

Tactics

Discovery

Actions

GitHub