Elastic Security Detection Rules

Google Workspace User Login with Unusual ASN

Last updated 10 days ago on 2026-05-14
Created 10 days ago on 2026-05-14

About

Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.
Tags
Domain: CloudDomain: IdentityData Source: Google WorkspaceData Source: Google Workspace Audit LogsData Source: Google Workspace User Log EventsUse Case: Threat DetectionUse Case: Identity and Access AuditTactic: Initial AccessTactic: Credential AccessLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Application Access Token (T1528)(external, opens in a new tab or window)

Adversary-in-the-Middle (T1557)(external, opens in a new tab or window)

False Positive Examples
Legitimate first-time use of a new network: ISP change, new VPN provider, travel to a region using a different mobile carrier, new home office. Carrier-grade NAT or load-balanced corporate egress that occasionally routes through alternate ASNs.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-google_workspace.login*logs-google_workspace.token*
Related Integrations

google_workspace(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: ("google_workspace.login" or "google_workspace.token") and
    event.action: ("login_success" or "authorize") and
    source.as.number: * and
    user.email: *

Install detection rules in Elastic Security

Detect Google Workspace User Login with Unusual ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).