GWS - Government-backed (State-Sponsored) Attack Warning
GWS Alerts State Sponsored Attack
Query
GWSAlerts_CL
| where Source == "Google identity" or AlertType == "Government attack warning"
or AlertDataType endswith "StateSponsoredAttack"
| extend TargetUser = tostring(AlertData.email)
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
TargetUser, SecurityInvestigationToolLink, AlertDataExplanation
This query is part of a security monitoring setup that detects potential state-sponsored cyber attacks on Google Workspace accounts. Here's a simplified breakdown:
-
Purpose: The query is designed to identify alerts from Google Alert Center that indicate a high-confidence, state-sponsored attack on a user account within an organization. These alerts are critical and should prompt immediate incident response.
-
Severity: The alert is classified as "High" severity, meaning it requires urgent attention.
-
Data Source: It uses data from the Google Workspace alerts (specifically from the
GWSAlerts_CLdata type). -
Query Details: The query runs every 10 minutes and looks back over the past hour. It searches for alerts where the source is "Google identity" or the alert type is "Government attack warning," or if the alert data type ends with "StateSponsoredAttack."
-
Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, source, type, targeted user, a link to a security investigation tool, and additional alert data.
-
Entity Mapping: It maps the targeted user to an "Account" entity and the investigation tool link to a "URL" entity for further analysis.
-
Incident Management: If an alert is detected, an incident is created. The system groups related incidents, but does not reopen closed incidents. It considers all entities within a 24-hour lookback period for grouping.
-
Tactics and Techniques: The query is associated with tactics like Initial Access and Credential Access, and techniques such as T1078.004 (Valid Accounts) and T1566 (Phishing).
-
Version and Type: This is version 1.0.0 of a scheduled query.
