Detects a two-event sequence in Google Workspace logs where a user’s OAuth authorization for a sensitive Google OAuth client is initiated from a high-risk ASN, followed within 30 seconds by a device registration event with account_state == REGISTERED. The rule targets google_workspace.token (event.action: authorize) for a specific client.id (77185425430.apps.googleusercontent.com) and a set of suspicious source ASN numbers, then looks for a subsequent google_workspace.device event indicating a device was registered. This correlation (sequence by user.name, maxspan=30s) signals possible attacker-controlled enrollment, residential-proxy or other suspicious enrollment activity after user consent. The rule is mapped to MITRE ATT&CK techniques T1098 (Device Registration) and T1566 (Phishing) with subtechniques T1098.005 (Device Registration) and T1566.002 (Spearphishing Link) across Persistence and Initial Access tactics. It relies on ingestion of Google Workspace audit streams (google_workspace.token and google_workspace.device) and is designed for environments using the Google Workspace Fleet integration or equivalent module. The included triage guidance helps verify user intent, assess the legitimacy of the OAuth client and ASN, and determine whether remediation steps such as revoking OAuth grants, removing unauthorized devices, or restricting device enrollment are required. The note also highlights that Google Workspace audit data can lag, so operators may need to adjust the lookback window and polling interval to capture delayed sequences.