
Summary
This detection rule is designed to identify successful login attempts to Google Workspace (GSuite) originating from suspicious countries which are not typically associated with the organization's expected user behavior. The rule functions by querying logs for successful login events, using specified Splunk commands to gather relevant cloud data related to GSuite logins. Importantly, the organization must first allowlist specific countries to tailor the detection to its unique operating environment and minimize false positives. The resulting data table includes timestamps, user accounts, source IP addresses, user types, and geographical data (country) derived from the source IP. The detection is associated with the MITRE ATT&CK technique 'Valid Accounts' (T1078), reinforcing its focus on ensuring unauthorized access is monitored and mitigated. Organizations will find this rule effective for enhancing the security of their GSuite deployments by spotlighting unusual login patterns that may indicate credential compromise or other malicious activities.
Categories
- Cloud
- GCP
- Identity Management
Data Sources
- Cloud Service
- Application Log
ATT&CK Techniques
- T1078
Created: 2024-02-09