Google Workspace User Sign-in from Atypical Device Type

Last updated 15 days ago on 2026-05-15

Created 15 days ago on 2026-05-15

About

Detects the first time a Google Workspace user is observed authenticating from a device of a given type (e.g., WINDOWS, MAC, ANDROID, IOS, LINUX) within a historical window. Note that "DEVICE_REGISTER_UNREGISTER_EVENT" events do not represent one-time physical device enrollments; the Google Reports API emits a fresh "google_workspace.device.id" on each event, and the same physical device may produce multiple events per day as sessions/sync renewals occur. The rule therefore surfaces a user authenticating from a new device type, not a new physical device. This is still high-fidelity because adversaries who compromise a Workspace identity via AiTM kits or stolen OAuth refresh tokens frequently relay sessions from device types that diverge from the legitimate user's baseline (e.g., a WINDOWS session appearing for a known macOS user, or simultaneous WINDOWS+MAC sessions within minutes), which is the canonical kit fingerprint. Because the underlying token retains access after password rotation, treat unexpected device-type divergence as a compromise indicator and revoke tokens, not just credentials.

Tags

Domain: CloudDomain: IdentityData Source: Google WorkspaceData Source: Google Workspace Device LogsUse Case: Threat DetectionUse Case: Identity and Access AuditTactic: PersistenceTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples

A user legitimately enrolling a new personal or corporate device (new laptop, replacement phone, BYOD enrollment). Validate by confirming the device registration timing aligns with a known device refresh, IT hardware ticket, or onboarding event. Bulk device enrollment campaigns (e.g., MDM rollout, fleet refresh) where many users register the same new device type in a short window. Consider suppressing during planned rollouts.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-google_workspace.device*
Related Integrations: google_workspace(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset: "google_workspace.device" and
event.action: "DEVICE_REGISTER_UNREGISTER_EVENT" and
google_workspace.device.account_state: "REGISTERED" and
google_workspace.device.type: * and
user.email: *

Install detection rules in Elastic Security

Detect Google Workspace User Sign-in from Atypical Device Type in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).