Multiple login failures (>= 3) detected from any particular user identity in the last 24 hours.
Category: Login & Access Patterns
Use Cases: Detect
Data Sources: Workspace Login Audit (Cloud Identity Logs)
| BigQuery | Log Analytics | Google SecOps |
|---|---|---|
| SQL | SQL | YARA-L |
Login as test user via gcloud CLI, using wrong password multiple times in a row. Note lag time of Workspace Audit Login Logs can be up to a few hours.
| Name | Description | Type | Default Value |
|---|---|---|---|
| account | user account of test user to be used for authentication | String | test-user |
gcloud auth login #{account} --no-browser --force
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "[email protected]"
},
"requestMetadata": {
"callerIp": "203.0.113.255",
"requestAttributes": {
},
"destinationAttributes": {
}
},
"serviceName": "login.googleapis.com",
"methodName": "google.login.LoginService.loginFailure",
"resourceName": "organizations/123",
"metadata": {
"event": [
{
"eventName": "login_failure",
"eventType": "login",
"parameter": [
{
"value": "google_password",
"type": "TYPE_STRING",
"name": "login_type",
"label": "LABEL_OPTIONAL"
},
{
"name": "login_challenge_method",
"type": "TYPE_STRING",
"label": "LABEL_REPEATED",
"multiStrValue": [
"password",
"idv_preregistered_phone",
"idv_preregistered_phone"
]
},
{
"label": "LABEL_OPTIONAL",
"name": "dusi",
"type": "TYPE_STRING",
"value": "IOWJlfPwgvrTfg"
}
]
}
],
"activityId": {
"uniqQualifier": "358068855354",
"timeUsec": "1632500217183212"
},
"@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto"
}
},
"insertId": "-nahbepd4l1x",
"resource": {
"type": "audited_resource",
"labels": {
"method": "google.login.LoginService.loginFailure",
"service": "login.googleapis.com"
}
},
"timestamp": "2021-09-24T16:16:57.183212Z",
"severity": "NOTICE",
"logName": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2021-09-24T17:51:25.034361197Z"
}