GSuites_Unapproved_Login_Type
ID: 100106
Description:
Gsuites login attempt of unapproved type
Repository: Group: GSuites Type: event
Default Status:
Enabled
| Tags: |
|---|
| gsuites |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | gsuites |
| Field | MUST NOT hit |
|---|---|
| @gsuites.event.parameters.login_type | exchange |
| google_password | |
| reauth | |
| saml | |
| unknown |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @gsuites.actor.email | username | account login |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| Timeline | 0 | - |
Attributes:
| Alias | Key |
|---|---|
| IP | @gsuites._ip |
| City | @gsuites._ip.city |
| Country | @gsuites._ip.country |
| UserEmail | @gsuites.actor.email |
| LoginType | @gsuites.event.parameters.login_type |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| New_User | 2 days | @gsuites.actor.email |
| New_City | 2 days | @gsuites._ip.city |
| New_Country | 2 days | @gsuites._ip.country |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)