Techniques
Sample rules
Suspicious Login Activity Classified By Google
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detects Google Workspace login activity that’s classified as suspicious by Google.
Detection logic
condition: selection
selection:
protoPayload.Servicename: login.googleapis.com
protoPayload.metadata.event.eventName:
- suspicious_login_less_secure_app
- suspicious_login
- suspicious_programmatic_login