A suspicious login attempt flagged by Google Workspace, be it from Cloud Console, Admin Console or gcloud CLI.
Category: Login & Access Patterns
Use Cases: Detect
Data Sources: Workspace Login Audit (Cloud Identity Logs)
| BigQuery | Log Analytics | Google SecOps |
|---|---|---|
| SQL | SQL | YARA-L |
No event generation steps provided. Contribute emulation test to this use case.
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "[email protected]"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {
},
"destinationAttributes": {
}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginSuccess",
"resourceName": "organizations/123",
"metadata": {
"activityId": {
"uniqQualifier": "68159791739",
"timeUsec": "1644956823029221"
},
"event": [
{
"eventType": "login",
"eventName": "login_success",
"parameter": [
{
"type": "TYPE_STRING",
"value": "google_password",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"type": "TYPE_STRING",
"multiStrValue": [
"password"
],
"name": "login_challenge_method",
"label": "LABEL_REPEATED"
},
{
"label": "LABEL_OPTIONAL",
"boolValue": true,
"type": "TYPE_BOOL",
"name": "is_suspicious"
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IPz6z56q5KOAWg"
}
]
}
],
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "81t06te4dnk4",
"resource": {
"type": "audited_resource",
"labels": {
"service": "login.googleapis.com",
"method": "google.login.LoginService.loginSuccess"
}
},
"timestamp": "2022-02-15T20:27:03.029221Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2022-02-15T21:46:30.296228580Z"
}