KQL Search

Query Details

GWS Alerts Phishing Spike

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f0a
name: GWS - Phishing Alert Spike Across Multiple Users
description: |
  Five or more distinct users received phishing-related alerts in a 1-hour window.
  Suggests an active campaign hitting the tenant.
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1566.001
  - T1566.002
query: |
  GWSAlerts_CL
  | where Source == "Gmail phishing" or AlertDataType endswith "MailPhishing"
  | extend User = tostring(AlertData.email)
  | summarize Users = make_set(User, 100), AlertCount = count(),
              FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
              by bin(TimeGenerated, 1h)
  | where array_length(Users) >= 5
  | mv-expand User = Users to typeof(string)
  | project TimeGenerated, FirstSeen, LastSeen, AlertCount, User
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: User
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 4h
    matchingMethod: AnyAlert
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect a potential phishing campaign targeting multiple users within a Google Workspace environment. Here's a simplified breakdown:

  • Purpose: The query identifies instances where five or more distinct users receive phishing-related alerts within a one-hour period. This pattern suggests an active phishing campaign affecting the organization.

  • Severity: The alert is classified as "Medium" severity, indicating a moderate level of concern.

  • Data Source: The query relies on data from Google Workspace, specifically looking at alerts related to Gmail phishing.

  • Frequency and Period: The query runs every hour and examines data from the past hour.

  • Detection Logic:

    • It filters alerts to include only those related to Gmail phishing.
    • It extracts the email addresses of users who received these alerts.
    • It counts the number of distinct users affected and the total number of alerts.
    • It checks if five or more distinct users were affected within the same hour.
    • If the condition is met, it expands the list of users and projects relevant details like the time of the alert and the number of alerts.

  • Incident Handling: If the query conditions are met, it creates an incident. The incident configuration allows for grouping related alerts and specifies that closed incidents should not be reopened.

  • Mapping: The query maps the detected users to an "Account" entity type for further analysis.

  • Techniques and Tactics: The query is associated with the "Initial Access" tactic and techniques T1566.001 and T1566.002, which relate to phishing.

Overall, this query helps security teams quickly identify and respond to potential phishing attacks targeting multiple users in a short timeframe.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsCLGmailPhishingMailPhishingUserAlertDataEmailTimeGeneratedAccountFullName

Operators

whereorendswithextendtostringsummarizemake_setcountminmaxbybinarray_lengthmv-expandproject

Actions