TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: ITDR
SUMMARY: Starter Queries for Google Workspace
Please note that Huntress SIEM is case sensitive!
Query List
Enabling/Disabling Multi-Factor Authentication
Reviewing All Events for a User
Failed Login Attempts
Description
This search returns failed sign-in attempts against Google Workspace accounts. Use it to spot brute-force attempts, password spraying, or a user repeatedly failing to authenticate.
Search Query
from logs
| where event.provider=="ITDR-GWS"
| where event.action=="login_failure"
| keep user.email, event.action, client.ip
Additional Filters
The additional "where" clause restricts results to failures for a specific account. Replace user@example.com with the account in question.
from logs
| where event.provider=="ITDR-GWS"
| where event.action=="login_failure"
| where user.email=="user@example.com"
| keep user.email, event.action, client.ip
Kept Field Breakdown
| Field | Description |
|---|---|
| user.email | The email address of the account that attempted to sign in. |
| event.action | The event operation name (here, login_failure). |
| client.ip | The source IP of the sign-in attempt. |
Enabling/Disabling Multi-Factor Authentication
Description
This search returns changes made to an account's 2-Step Verification (2SV) status, both enrollments and removals. Use it to confirm MFA adoption or to catch an attacker disabling MFA after compromising an account.
Search Query
from logs
| where event.provider=="ITDR-GWS"
| where event.action=="2sv_enroll" OR event.action=="2sv_disable"
| keep user.email, event.action, client.ip
Kept Field Breakdown
| Field | Description |
|---|---|
| user.email | The email address of the account whose 2SV status changed. |
| event.action | The event operation name. Indicates whether 2SV was enrolled (2sv_enroll) or disabled (2sv_disable). |
| client.ip | The source IP from which the change was made. |
Reviewing All Events for a User
Description
This search returns every Google Workspace identity event tied to a single user, allowing you to build a timeline of a single account's activity during an investigation. Replace user@example.com with the email address of the user in question.
Search Query
from logs
| where event.provider=="ITDR-GWS"
| where user.email=="user@example.com"
| keep user.email, event.action, client.ip, event.code
Kept Field Breakdown
| Field | Description |
|---|---|
| user.email | The email address of the account the event pertains to. |
| event.action | The event operation name (e.g. login_success, login_failure, password_edit, 2sv_enroll). |
| client.ip | The source IP associated with the event. |
| event.code | The event type code that groups related actions (e.g. login, 2sv, account_warning). |
--