Query Details
GWS Alerts Stale Alerts
Query
id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a03
name: GWS Alerts - Stale / Unassigned Alerts (Triage Hygiene)
description: |
Surfaces alerts that have not been resolved or assigned, including those still
in NOT_STARTED or IN_PROGRESS metadata status for over 7 days. Useful for SOC
triage hygiene and SLA reporting.
requiredDataConnectors:
- connectorId: GoogleWorkspaceDefinition
dataTypes:
- GWSAlerts_CL
tactics:
- Discovery
query: |
GWSAlerts_CL
| where TimeGenerated > ago(60d)
| where MetadataStatus in~ ("NOT_STARTED", "IN_PROGRESS", "")
or isempty(MetadataStatus)
| where TimeGenerated < ago(7d)
| extend User = tostring(AlertData.email)
| project TimeGenerated, AlertId, Source, AlertType, MetadataSeverity,
MetadataStatus, MetadataAssignee, User, SecurityInvestigationToolLink
| order by TimeGenerated asc
tags:
- GoogleWorkspace
- Operations
Explanation
This query is designed to identify alerts in Google Workspace that have not been resolved or assigned for more than 7 days. It focuses on alerts that are still in the "NOT_STARTED" or "IN_PROGRESS" status, or have no status at all, within the last 60 days. The query extracts relevant details such as the time the alert was generated, alert ID, source, type, severity, status, assignee, user email, and a link to the security investigation tool. The results are sorted by the time the alert was generated, in ascending order. This is useful for maintaining good triage practices and ensuring compliance with service level agreements (SLAs) in a Security Operations Center (SOC).
Details
David Alonso
Released: May 7, 2026
Tables
GWSAlerts_CL
Keywords
GWSAlerts_CLTimeGeneratedMetadataStatusMetadataSeverityMetadataAssigneeUserSecurityInvestigationToolLinkAlertIdSourceAlertTypeGoogleWorkspaceOperations
Operators
ago()in~isempty()extendtostring()projectorder byascwhere