KQL Search

Query Details

GWS Alerts Leaked Password Chain

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f07
name: GWS - Leaked Password Followed by Suspicious Login (Chained)
description: |
  Correlation: a 'Leaked password' alert was followed within 24 hours by any
  suspicious-login or programmatic-login alert for the same account.
  Strong indicator of credential-stuffing-driven account takeover.
severity: High
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 1h
queryPeriod: 25h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078.004
  - T1110.004
query: |
  let leaks =
      GWSAlerts_CL
      | where AlertType has "Leaked password"
      | extend User = tostring(AlertData.email)
      | project LeakTime = TimeGenerated, User, LeakAlertId = AlertId;
  let logins =
      GWSAlerts_CL
      | where AlertType has_any ("Suspicious login", "Suspicious programmatic login")
      | extend User = tostring(AlertData.email)
      | project LoginTime = TimeGenerated, User, LoginAlertId = AlertId,
                LoginAlertType = AlertType, LoginLink = SecurityInvestigationToolLink;
  leaks
  | join kind=inner logins on User
  | where LoginTime between (LeakTime .. LeakTime + 24h)
  | project LeakTime, LoginTime, User, LeakAlertId, LoginAlertId,
            LoginAlertType, LoginLink
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: User
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: LoginLink
incidentConfiguration:
  createIncident: true
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect potential account takeovers in Google Workspace by identifying suspicious login activities that occur shortly after a password leak. Here's a simplified breakdown:

  1. Purpose: The query aims to find instances where a "Leaked password" alert is followed by a "Suspicious login" or "Suspicious programmatic login" alert for the same user within a 24-hour window. This pattern suggests a possible credential-stuffing attack leading to account takeover.

  2. Severity and Status: The alert generated by this query is considered high severity and is currently available for use.

  3. Data Source: It uses data from Google Workspace alerts, specifically looking at the GWSAlerts_CL data type.

  4. Frequency and Period: The query runs every hour and looks back over the past 25 hours to identify relevant events.

  5. Detection Logic:

    • It first identifies alerts related to leaked passwords and extracts the user's email and alert time.
    • It then identifies alerts related to suspicious logins, extracting similar details.
    • The query joins these two sets of alerts on the user's email and checks if the suspicious login occurred within 24 hours after the password leak.

  6. Output: The query outputs details such as the times of the leak and login, user email, alert IDs, and a link for further investigation.

  7. Incident Creation: If the query finds any matches, it automatically creates an incident for further investigation.

  8. Tactics and Techniques: The query is associated with tactics like Initial Access and Credential Access, and techniques such as Valid Accounts (T1078.004) and Password Spraying (T1110.004).

This query helps security teams quickly identify and respond to potential security breaches involving compromised credentials.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleWorkspaceDefinitionGWSAlerts_CLAlertTypeAlertDataEmailTimeGeneratedAlertIdSecurityInvestigationToolLinkAccountURL

Operators

lethastostringprojecthas_anyjoinbetween

Actions