Query Details

GWS - Government-backed (State-Sponsored) Attack Warning

GWS Alerts State Sponsored Attack

Query

GWSAlerts_CL
| where Source == "Google identity" or AlertType == "Government attack warning"
     or AlertDataType endswith "StateSponsoredAttack"
| extend TargetUser = tostring(AlertData.email)
| project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
          TargetUser, SecurityInvestigationToolLink, AlertData

Explanation

This query is part of a security monitoring setup that detects potential state-sponsored cyber attacks on Google Workspace accounts. Here's a simplified breakdown:

  • Purpose: The query is designed to identify alerts from Google Alert Center that indicate a high-confidence, state-sponsored attack on a user account within an organization. These alerts are critical and should prompt immediate incident response.

  • Severity: The alert is classified as "High" severity, meaning it requires urgent attention.

  • Data Source: It uses data from the Google Workspace alerts (specifically from the GWSAlerts_CL data type).

  • Query Details: The query runs every 10 minutes and looks back over the past hour. It searches for alerts where the source is "Google identity" or the alert type is "Government attack warning," or if the alert data type ends with "StateSponsoredAttack."

  • Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, source, type, targeted user, a link to a security investigation tool, and additional alert data.

  • Entity Mapping: It maps the targeted user to an "Account" entity and the investigation tool link to a "URL" entity for further analysis.

  • Incident Management: If an alert is detected, an incident is created. The system groups related incidents, but does not reopen closed incidents. It considers all entities within a 24-hour lookback period for grouping.

  • Tactics and Techniques: The query is associated with tactics like Initial Access and Credential Access, and techniques such as T1078.004 (Valid Accounts) and T1566 (Phishing).

  • Version and Type: This is version 1.0.0 of a scheduled query.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleIdentityAlertGovernmentAttackWarningStateSponsoredAccountURL

Operators

whereorendswithextendtostringproject

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 10m

Period: 1h

Actions

GitHub