LoFP / google's risk engine occasionally flags legitimate sign-ins as suspicious when the user is on a new device, on a vpn egress that geo-resolves to a different region, or after extended time away. validate by checking the user's recent sign-in history and confirming with the user.

Techniques

• T1078
• T1528
• T1557

Sample rules

Google Workspace Login Flagged Suspicious

• source: elastic
• technicques:
  • T1078
  • T1528
  • T1557

Description

Surfaces Google Workspace sign-in events that Google’s identity risk engine has flagged as suspicious via the is_suspicious field on the login activity record. This is Google’s own ML-driven sign-in risk signal. The field is set by Google server-side based on signals like sign-ins from anonymizer infrastructure, known-malicious IP ranges, atypical user characteristics, or anomalous device fingerprints. Use this signal as enrichment alongside the other Workspace sign-in rules rather than as a standalone alert. This rule is a building block. It does not generate user-facing alerts by default but populates signal.rule.building_block_type for correlation rules or analyst pivots.

Detection logic

data_stream.dataset: "google_workspace.login" and
    event.provider: "login" and
    google_workspace.login.is_suspicious: true