Link Search Menu Expand Document

GSuites_Unapproved_Login_Type

ID: 100106

Description:

Gsuites login attempt of unapproved type

Repository: Group: GSuites Type: event

Default Status:

Enabled

Tags:
gsuites
 

Selector:

Query:

Filters:

Field MUST hit
@sender gsuites
Field MUST NOT hit
@gsuites.event.parameters.login_type exchange
  google_password
  reauth
  saml
  unknown

Behavior Rule:

Key Type Behavior Category
@gsuites.actor.email username account login

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
IP @gsuites._ip
City @gsuites._ip.city
Country @gsuites._ip.country
UserEmail @gsuites.actor.email
LoginType @gsuites.event.parameters.login_type

Correlation Rules:

First Occurrence:

Name Window Fields
New_User 2 days @gsuites.actor.email
New_City 2 days @gsuites._ip.city
New_Country 2 days @gsuites._ip.country

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)