GWS Alerts - Suspicious Programmatic Login (OAuth Abuse)
GWS Alerts Suspicious Programmatic Login
Query
GWSAlerts_CL
| where TimeGenerated > ago(14d)
| where AlertType has_any ("Suspicious programmatic login",
"Suspicious login from a less secure app")
| extend User = tostring(AlertData.email),
ClientIp = tostring(AlertData.loginDetails.ipAddress),
AppName = tostring(coalesce(AlertData.appName, AlertData.applicationName))
| summarize Alerts = count(),
IPs = make_set(ClientIp, 50),
Apps = make_set(AppName, 50),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by User, AlertType
| order by Alerts descExplanation
This query is designed to identify and analyze suspicious programmatic login alerts in Google Workspace, which might indicate issues like token theft or OAuth abuse. Here's a simple breakdown:
-
Purpose: The query hunts for alerts related to suspicious programmatic logins, which could suggest unauthorized access through token theft or misuse of OAuth grants.
-
Data Source: It uses data from Google Workspace alerts (GWSAlerts_CL).
-
Time Frame: It looks at alerts generated in the last 14 days.
-
Alert Types: It focuses on alerts labeled as "Suspicious programmatic login" or "Suspicious login from a less secure app."
-
Data Extraction: For each alert, it extracts:
- User email
- Client IP address
- Application name involved in the alert
-
Aggregation: It summarizes the data by:
- Counting the number of alerts per user and alert type
- Listing up to 50 unique IP addresses and application names associated with each user
- Recording the first and last time each alert type was seen
-
Sorting: The results are ordered by the number of alerts in descending order, highlighting users with the most alerts.
-
Tags and Context: The query is tagged with Google Workspace, OAuth, and GCP Pentest Checklist, indicating its relevance to these areas.
Overall, this query helps security teams identify potential security breaches related to OAuth abuse by analyzing login patterns and alerting on unusual activities.
