Query Details
GWS Alerts Overview
Query
id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a01
name: GWS Alerts - Inventory Overview by Source / Type / Severity
description: |
High-level overview of all Workspace alerts ingested over a hunting horizon.
Use as a starting pivot to spot anomalies in volume or new alert types
appearing in the tenant for the first time.
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
tactics:
- Discovery
query: |
GWSAlerts_CL
| where TimeGenerated > ago(30d)
| summarize Alerts = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
UniqueAlertIds = dcount(AlertId)
by Source, AlertType, AlertDataType, MetadataSeverity
| order by Alerts desc
tags:
- GoogleWorkspace
- AlertCenter
- Hunting
Explanation
This query is designed to provide a high-level overview of Google Workspace alerts over the past 30 days. It helps in identifying any unusual patterns or new types of alerts that have appeared for the first time. Here's a simplified breakdown of what the query does:
-
Data Source: It uses data from Google Workspace alerts (GWSAlerts_CL).
-
Time Frame: The query focuses on alerts generated in the last 30 days.
-
Summarization: It counts the total number of alerts, identifies the first and last time each alert type was seen, and counts the number of unique alert IDs.
-
Grouping: The results are grouped by the alert's source, type, data type, and severity level.
-
Ordering: The summary is ordered by the number of alerts, from most to least.
This query is useful for discovering trends and anomalies in alert data, which can be crucial for security monitoring and threat hunting within Google Workspace environments.
Details
David Alonso
Released: May 7, 2026
Tables
Keywords
Operators