Techniques
Sample rules
Google Workspace User Login with Unusual ASN
- source: elastic
- technicques:
- T1078
- T1528
- T1557
Description
Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.
Detection logic
data_stream.dataset: ("google_workspace.login" or "google_workspace.token") and
event.action: ("login_success" or "authorize") and
source.as.number: * and
user.email: *