Google Workspace Government Attack Warning

Rule Info

Name
Google Workspace Government Attack Warning
Author
Tom Kluter
Description
Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor
Reference
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
Date
2026-04-28 00:00:00
Modified
None
Id
eafe6f2b-cfec-4612-aec2-49563c33a087
Tags
attack.privilege-escalation attack.persistence attack.initial-access attack.impact attack.stealth attack.t1078
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=eafe6f2b-cfec-4612-aec2-49563c33a087

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Tom Kluter
Merge PR #5409 from @Luke57 - Add New Google Workspace Related Rules
2026-04-28
c8f207d39
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022