GWS Alerts - First-Seen Alert Types Per User (Anomaly Hunt)
GWS Alerts First Seen Per User
Query
let baseline = 60d;
let recent = 1d;
let historical =
GWSAlerts_CL
| where TimeGenerated between (ago(baseline) .. ago(recent))
| extend User = tostring(AlertData.email)
| distinct User, AlertType;
GWSAlerts_CL
| where TimeGenerated > ago(recent)
| extend User = tostring(AlertData.email)
| join kind=leftanti historical on User, AlertType
| project TimeGenerated, AlertId, User, Source, AlertType, MetadataSeverity,
SecurityInvestigationToolLink
| order by TimeGenerated descExplanation
This query is designed to identify new alert types associated with users in a Google Workspace environment that have not been seen before within a specified time frame. Here's a simple breakdown:
-
Purpose: The query aims to find pairs of users and alert types that are new or have not been observed in the past within a given baseline period. This can help in identifying unusual or potentially suspicious activities that warrant further investigation.
-
Data Source: It uses data from Google Workspace alerts (
GWSAlerts_CL). -
Time Frames:
- Baseline Period: 60 days (historical data).
- Recent Period: 1 day (current data).
-
Process:
- Historical Data: It first gathers distinct combinations of users and alert types from the past 60 days.
- Recent Data: It then looks at the alert data from the last day.
- Comparison: The query compares the recent data against the historical data to find user-alert type combinations that are new (i.e., not present in the historical data).
-
Output: The results include details such as the time the alert was generated, alert ID, user, source, alert type, severity, and a link to the security investigation tool. The results are sorted by the time the alert was generated, in descending order.
-
Use Case: This is useful for anomaly detection, specifically for discovering new alert types associated with users, which could indicate new or unexpected behavior that might require a closer look.
Details

David Alonso
Released: May 7, 2026
Tables
Keywords
Operators
Tactics