KQL Search

Query Details

GWS Alerts Suspicious Programmatic Login

Query

id: 8b4e3d9f-2c5d-4f6b-ad3e-9c2e8f7b5a02
name: GWS Alerts - Suspicious Programmatic Login (OAuth Abuse)
description: |
  Hunt for "Suspicious programmatic login" alerts. These typically indicate token
  theft, OAuth grant abuse, or service-account misuse - patterns documented in
  the GCP Pentest Checklist (OAuth/IAM persistence section). Pivot on user and
  source IP to find the abused identity / token.
requiredDataConnectors:
  - connectorId: GoogleWorkspaceDefinition
    dataTypes:
      - GWSAlerts_CL
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078.004
  - T1550.001
query: |
  GWSAlerts_CL
  | where TimeGenerated > ago(14d)
  | where AlertType has_any ("Suspicious programmatic login",
                             "Suspicious login from a less secure app")
  | extend User = tostring(AlertData.email),
           ClientIp = tostring(AlertData.loginDetails.ipAddress),
           AppName = tostring(coalesce(AlertData.appName, AlertData.applicationName))
  | summarize Alerts = count(),
              IPs = make_set(ClientIp, 50),
              Apps = make_set(AppName, 50),
              FirstSeen = min(TimeGenerated),
              LastSeen = max(TimeGenerated)
              by User, AlertType
  | order by Alerts desc
tags:
  - GoogleWorkspace
  - OAuth
  - GCPPentestChecklist

Explanation

This query is designed to identify and analyze suspicious programmatic login alerts in Google Workspace, which might indicate issues like token theft or OAuth abuse. Here's a simple breakdown:

  1. Purpose: The query hunts for alerts related to suspicious programmatic logins, which could suggest unauthorized access through token theft or misuse of OAuth grants.

  2. Data Source: It uses data from Google Workspace alerts (GWSAlerts_CL).

  3. Time Frame: It looks at alerts generated in the last 14 days.

  4. Alert Types: It focuses on alerts labeled as "Suspicious programmatic login" or "Suspicious login from a less secure app."

  5. Data Extraction: For each alert, it extracts:

    • User email
    • Client IP address
    • Application name involved in the alert

  6. Aggregation: It summarizes the data by:

    • Counting the number of alerts per user and alert type
    • Listing up to 50 unique IP addresses and application names associated with each user
    • Recording the first and last time each alert type was seen

  7. Sorting: The results are ordered by the number of alerts in descending order, highlighting users with the most alerts.

  8. Tags and Context: The query is tagged with Google Workspace, OAuth, and GCP Pentest Checklist, indicating its relevance to these areas.

Overall, this query helps security teams identify potential security breaches related to OAuth abuse by analyzing login patterns and alerting on unusual activities.

Details

David Alonso profile picture

David Alonso

Released: May 7, 2026

Tables

GWSAlerts_CL

Keywords

GWSAlertsGoogleWorkspaceOAuthUserIPAppNameAlertTypeTimeGenerated

Operators

wherehas_anyextendtostringcoalescesummarizecountmake_setminmaxorder bydesc

Actions