Techniques
Sample rules
Google Workspace User Sign-in from Atypical Device Type
- source: elastic
- technicques:
- T1078
- T1098
Description
Detects the first time a Google Workspace user is observed authenticating from a device of a given type (e.g., WINDOWS, MAC, ANDROID, IOS, LINUX) within a historical window. Note that “DEVICE_REGISTER_UNREGISTER_EVENT” events do not represent one-time physical device enrollments; the Google Reports API emits a fresh “google_workspace.device.id” on each event, and the same physical device may produce multiple events per day as sessions/sync renewals occur. The rule therefore surfaces a user authenticating from a new device type, not a new physical device. This is still high-fidelity because adversaries who compromise a Workspace identity via AiTM kits or stolen OAuth refresh tokens frequently relay sessions from device types that diverge from the legitimate user’s baseline (e.g., a WINDOWS session appearing for a known macOS user, or simultaneous WINDOWS+MAC sessions within minutes), which is the canonical kit fingerprint. Because the underlying token retains access after password rotation, treat unexpected device-type divergence as a compromise indicator and revoke tokens, not just credentials.
Detection logic
data_stream.dataset: "google_workspace.device" and
event.action: "DEVICE_REGISTER_UNREGISTER_EVENT" and
google_workspace.device.account_state: "REGISTERED" and
google_workspace.device.type: * and
user.email: *