KQL Search

Query Details

GWS Alerts Phishing Detection Gap

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a06
name: GWS Alerts - Phishing User-Reported vs System-Detected Correlation
description: |
  Joins user-reported phishing with system-detected phishing/malware reclassification
  to find campaigns where users reported messages BEFORE Google reclassified them.
  Highlights detection-gap windows.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - InitialAccess
relevantTechniques:
  - T1566.001
query: |
  let userReported =
      GWSAlerts_CL
      | where AlertType has_any ("User reported phishing", "Suspicious message reported")
      | extend Subject = tostring(AlertData.messages[0].subject),
               Sender = tostring(AlertData.messages[0].fromHeader)
      | project ReportTime = TimeGenerated, Subject, Sender, ReportAlertId = AlertId;
  let reclassified =
      GWSAlerts_CL
      | where AlertType has_any ("Phishing reclassification", "Malware reclassification")
      | extend Subject = tostring(AlertData.messages[0].subject),
               Sender = tostring(AlertData.messages[0].fromHeader)
      | project ReclassifyTime = TimeGenerated, Subject, Sender, ReclassifyAlertId = AlertId;
  userReported
  | join kind=inner reclassified on Subject, Sender
  | extend GapHours = (ReclassifyTime - ReportTime) / 1h
  | where GapHours > 0
  | project ReportTime, ReclassifyTime, GapHours, Subject, Sender,
            ReportAlertId, ReclassifyAlertId
  | order by GapHours desc
tags:
  - GoogleWorkspace
  - Phishing

Explanation

This query is designed to identify phishing campaigns where users reported suspicious emails before Google's system reclassified them as phishing or malware. It does this by:

  1. Extracting alerts from Google Workspace where users reported phishing or suspicious messages, capturing details like the time reported, email subject, and sender.
  2. Extracting alerts where Google reclassified emails as phishing or malware, capturing similar details.
  3. Joining these two sets of data based on the email subject and sender to find matches.
  4. Calculating the time gap (in hours) between when a user reported the email and when Google reclassified it.
  5. Filtering the results to show only cases where the user reported the email before Google's reclassification.
  6. Displaying the results, sorted by the time gap in descending order, highlighting the detection-gap windows where user reports preceded system detection.

This helps in understanding and improving the timeliness of automated phishing detection systems.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsAlertTypeAlertDataTimeGeneratedAlertIdSubjectSenderReportTimeReclassifyTimeGapHoursReportAlertIdReclassifyAlertIdGoogleWorkspacePhishing

Operators

lethas_anyextendtostringprojectjoinkind=inneronwhere/>order bydesc

Actions