sigma New Google Workspace rules

Summary of the Pull Request

Adds a new Sigma rule that detects suspicious login activity within Google Workspace environments as classified by Google. The rule matches on specific eventName values (suspicious_login, suspicious_login_less_secure_app, and suspicious_programmatic_login) recorded in the login.googleapis.com service.

These log events indicate potentially malicious or unusual login attempts, such as from less secure apps, programmatic access, or abnormal login behavior. The rule supports detection of possible Initial Access techniques, specifically aligning with MITRE ATT&CK technique T1078 (Valid Accounts).

Changelog

new: Google Workspace Government Attack Warning new: Google Workspace Out Of Domain Email Forwarding new: Suspicious Login Activity Classified By Google

Example Log Event

{
    "insertId": "-778d70d2n5b",
    "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "metadata": {
            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
            "activityId": {
                "timeUsec": "1620095181000000",
                "uniqQualifier": "-2034771694824799453"
            },
            "event": [
                {
                    "eventName": "suspicious_login_less_secure_app",
                    "eventType": "account_warning",
                    "parameter": [
                        {
                            "label": "LABEL_OPTIONAL",
                            "name": "affected_email_address",
                            "type": "TYPE_STRING",
                            "value": "[email protected]"
                        }
                    ],
                    "status": {
                        "success": true
                    }
                }
            ]
        },
        "methodName": "google.login.LoginService.suspiciousLoginLessSecureApp",
        "requestMetadata": {
            "callerIp": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
        },
        "resourceName": "organizations/123",
        "serviceName": "login.googleapis.com"
    },
    "receiveTimestamp": "2021-05-04T02:56:23.806722355Z",
    "resource": {
        "labels": {
            "method": "google.login.LoginService.suspiciousLoginLessSecureApp",
            "service": "login.googleapis.com"
        },
        "type": "audited_resource"
    },
    "severity": "NOTICE",
    "timestamp": "2021-05-04T02:26:21Z"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

May 07 '25 16:05 Luke57

Not to come across as rushed, but what is actually the usual time from the time of opening a pull request to the final merge? Thanks in advance!

May 22 '25 09:05 Luke57

It depends on the workload. It's simply best effort.

May 22 '25 12:05 phantinuss

Thanks for the response and your dedication as admins for Sigma!

May 22 '25 12:05 Luke57

Please have a look at other product: gcp rules. You need to traverse the JSON object for each field to access it. Also I don't see a eventService in the example log.

May 22 '25 12:05 phantinuss

My bad, thanks!

May 22 '25 13:05 Luke57

I don't see the eventService field in the example logs. I have to trust you on that/that it works. I'd prefer an example log that at least is matched by one of the rules. The current example log isn't matched by any of them. If you say you tested the rules and they work, I will merge. But if you didn't test them, please do so. I don't have access to gcp.

May 23 '25 07:05 phantinuss

I definitely tested the rules. Thanks for the recommendations. For completeness, I have put down a sample log of the “email forwarding” rule below.

  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "[email protected]"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "requestAttributes": {},
      "destinationAttributes": {}
    },
    "serviceName": "login.googleapis.com",
    "methodName": "google.login.LoginService.emailForwardingOutOfDomain",
    "resourceName": "organizations/123",
    "metadata": {
      "activityId": {
        "uniqQualifier": "-5683698025624301037",
        "timeUsec": "1632501152256000"
      },
      "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
      "event": [
        {
          "eventName": "email_forwarding_out_of_domain",
          "status": {
            "success": true
          },
          "parameter": [
            {
              "name": "dusi",
              "type": "TYPE_STRING",
              "value": "INfDlrzP9IH8_QE",
              "label": "LABEL_OPTIONAL"
            },
            {
              "type": "TYPE_STRING",
              "label": "LABEL_OPTIONAL",
              "value": "[email protected]",
              "name": "email_forwarding_destination_address"
            }
          ],
          "eventType": "email_forwarding_change"
        }
      ]
    }
  },
  "insertId": "rrcp9gd3y2f",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "method": "google.login.LoginService.emailForwardingOutOfDomain",
      "service": "login.googleapis.com"
    }
  },
  "timestamp": "2021-09-24T16:32:32.256Z",
  "severity": "NOTICE",
  "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2021-09-24T16:32:33.319260836Z"
}```

May 26 '25 08:05 Luke57

@Luke57 I am waiting for a second review. Rerequesting a review from me won't help as I already approved, sorry :)

Jul 08 '25 11:07 phantinuss

Sorry, i clicked on something i think.

Jul 08 '25 15:07 Luke57