KQL Search

Query Details

GWS Alerts State Sponsored Attack

Query

id: 7a3f2c8e-1d4b-4e5a-9c2f-8b1d7e6a4f01
name: GWS - Government-backed (State-Sponsored) Attack Warning
description: |
  Google Alert Center has issued a state-sponsored attack warning for an account
  in the tenant. Google sends these only when there is high-confidence evidence
  of nation-state targeting. Treat as critical and engage IR.
severity: High
status: Available
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078.004
  - T1566
query: |
  GWSAlerts_CL
  | where Source == "Google identity" or AlertType == "Government attack warning"
       or AlertDataType endswith "StateSponsoredAttack"
  | extend TargetUser = tostring(AlertData.email)
  | project TimeGenerated, AlertId, MetadataSeverity, Source, AlertType,
            TargetUser, SecurityInvestigationToolLink, AlertData
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: TargetUser
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: SecurityInvestigationToolLink
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 24h
    matchingMethod: AllEntities
version: 1.0.0
kind: Scheduled

Explanation

This query is part of a security monitoring setup that detects potential state-sponsored cyber attacks on Google Workspace accounts. Here's a simplified breakdown:

  • Purpose: The query is designed to identify alerts from Google Alert Center that indicate a high-confidence, state-sponsored attack on a user account within an organization. These alerts are critical and should prompt immediate incident response.

  • Severity: The alert is classified as "High" severity, meaning it requires urgent attention.

  • Data Source: It uses data from the Google Workspace alerts (specifically from the GWSAlerts_CL data type).

  • Query Details: The query runs every 10 minutes and looks back over the past hour. It searches for alerts where the source is "Google identity" or the alert type is "Government attack warning," or if the alert data type ends with "StateSponsoredAttack."

  • Output: The query extracts and displays information such as the time the alert was generated, alert ID, severity, source, type, targeted user, a link to a security investigation tool, and additional alert data.

  • Entity Mapping: It maps the targeted user to an "Account" entity and the investigation tool link to a "URL" entity for further analysis.

  • Incident Management: If an alert is detected, an incident is created. The system groups related incidents, but does not reopen closed incidents. It considers all entities within a 24-hour lookback period for grouping.

  • Tactics and Techniques: The query is associated with tactics like Initial Access and Credential Access, and techniques such as T1078.004 (Valid Accounts) and T1566 (Phishing).

  • Version and Type: This is version 1.0.0 of a scheduled query.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GoogleIdentityAlertGovernmentAttackWarningStateSponsoredAttackAccountURL

Operators

whereorendswithextendtostringproject

Actions