Elastic Security Detection Rules

Google Workspace Device Registration After OAuth from Suspicious ASN

Last updated 5 days ago on 2026-05-15
Created 5 days ago on 2026-05-15

About

Detects when a Google Workspace account completes OAuth authorization for a specific Google OAuth client from a high-risk autonomous system number (ASN), followed within 30 seconds by a device registration event with account state REGISTERED. This sequence can indicate device enrollment or join flows initiated from attacker-controlled or residential-proxy infrastructure after a user authorizes a sensitive client.
Tags
Domain: CloudData Source: Google WorkspaceUse Case: Threat DetectionTactic: PersistenceTactic: Initial AccessThreat: Tycoon2FALanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

False Positive Examples
Users on VPNs, carrier NAT, or cloud egress that map to flagged ASNs may match. Legitimate bulk enrollment or scripted onboarding that uses the same OAuth client can also produce the sequence. Baseline `source.as.organization.name` and successful registration sources before adding exclusions.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-google_workspace*
Related Integrations

google_workspace(external, opens in a new tab or window)

Query
text code block:
sequence by user.name with maxspan=30s
  [iam where data_stream.dataset == "google_workspace.token" and event.action == "authorize" and
      google_workspace.token.client.id == "77185425430.apps.googleusercontent.com" and
      source.as.number in (9009, 45102, 215540, 29802, 62240, 204957, 395092)]
  [any where data_stream.dataset == "google_workspace.device" and google_workspace.device.account_state == "REGISTERED"]

Install detection rules in Elastic Security

Detect Google Workspace Device Registration After OAuth from Suspicious ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).