a user simultaneously enrolling multiple workspace-aware apps on a new device (e.g., first-time setup of gmail, drive, calendar, and meet on a new laptop in a short window) may produce three or more distinct device ids in a minute. validate by checking whether the burst is tied to a fresh device or onboarding event.

Techniques

Sample rules

Google Workspace Device Registration Burst for Single User

source: elastic
technicques:
- T1078
- T1098
- T1557

Description

Detects bursts of Google Workspace device registration events for the same user, where three or more distinct “google_workspace.device.id” values are emitted in a one-minute window. Although “DEVICE_REGISTER_UNREGISTER_EVENT” fires routinely on session/sync registration and is not a true physical device enrollment, legitimate user activity typically produces fewer than three distinct device IDs in a single minute. A high-cardinality burst is the fingerprint behavior of AiTM phishing-kit relays (Tycoon2FA Google variant, EvilGinx phishlets) and stolen-OAuth-token replay tooling, both of which mint a new session attestation per relay or replay attempt.

Detection logic

from logs-google_workspace.device-*
| where event.dataset == "google_workspace.device"
    and event.action == "DEVICE_REGISTER_UNREGISTER_EVENT"
    and google_workspace.device.account_state == "REGISTERED"
    and user.email is not null
    and google_workspace.device.id is not null

| eval Esql.bucket_minute = date_trunc(1 minute, @timestamp)

| stats
        Esql.count_distinct_device_id = count_distinct(google_workspace.device.id),
        Esql.device_id_values = values(google_workspace.device.id),
        Esql.device_resource_id_values = values(google_workspace.device.resource.id),
        Esql.device_type_values = values(google_workspace.device.type),
        Esql.device_model_values = values(google_workspace.device.model),
        Esql.device_account_state_values = values(google_workspace.device.account_state),
        Esql.host_os_version_values = values(host.os.version),
        Esql.event_provider_values = values(event.provider),
        Esql.event_id_values = values(event.id),
        Esql.google_workspace_actor_type_values = values(google_workspace.actor.type),
        Esql.google_workspace_event_type_values = values(google_workspace.event.type),
        Esql.organization_id_values = values(organization.id),
        Esql.user_domain_values = values(user.domain),
        Esql.timestamp_first_seen = min(@timestamp),
        Esql.timestamp_last_seen = max(@timestamp),
        Esql.event_count = count(*)
    by user.id, user.email, user.name, Esql.bucket_minute

| where Esql.count_distinct_device_id >= 3

| keep user.id,
        user.email,
        user.name,
        Esql.bucket_minute,
        Esql.timestamp_first_seen,
        Esql.timestamp_last_seen,
        Esql.count_distinct_device_id,
        Esql.event_count,
        Esql.device_id_values,
        Esql.device_resource_id_values,
        Esql.device_type_values,
        Esql.device_model_values,
        Esql.device_account_state_values,
        Esql.host_os_version_values,
        Esql.event_provider_values,
        Esql.event_id_values,
        Esql.google_workspace_actor_type_values,
        Esql.google_workspace_event_type_values,
        Esql.organization_id_values,
        Esql.user_domain_values