What Changed

Two new ASIM Authentication parsers added:

  • ASimAuthenticationGoogleWorkspaceLogins (full/unfiltered)
  • vimAuthenticationGoogleWorkspaceLogins (filtered/parameterised)

Both are registered in the top-level ASimAuthentication and imAuthentication union parsers (version bumped to 0.2.18), making Google Workspace Logins data available to any detection or hunting query that references imAuthentication or ASim_Authentication*.

Parser Impact

Schema: ASIM Authentication (version 0.1.4) Source table: GoogleWorkspaceReports (ingested via CCF) Filter: IdApplicationName == login and EventType in (login, logout)

Event coverage – EventName values normalised:

EventNameNormalised EventTypeNormalised EventResult
login_successLogonSuccess
login_failureLogonFailure
logoutLogoffSuccess
risky_sensitive_action_allowedLogonSuccess
risky_sensitive_action_blockedLogonFailure
suspicious_loginLogonFailure
suspicious_login_less_secure_appLogonFailure
suspicious_programmatic_loginLogonFailure
user_signed_out_due_to_suspicious_session_cookieLogoffSuccess

Key field mappings:

  • TargetUsername <- ActorEmail (UPN type)
  • TargetUserId <- ActorProfileId
  • SrcGeoCountry <- NetworkInfoRegionCode
  • LogonMethod – derives Multi factor authentication when any MFA challenge method is present (security_key, passkey, google_prompt, backup_code, etc.)
  • LogonProtocol – maps SAML and OIDC challenge methods to respective protocol strings
  • EventResultDetails – flags policy violations for suspicious/blocked events

This is a net-new parser; prior to this PR, imAuthentication returned no rows for data ingested via the Google Workspace Reports CCF connector. Any ASIM-based detection relying on imAuthentication had a blind spot for Google Workspace identity events.

MITRE Coverage

No MITRE techniques are declared in the parser YAML. Detections built on this parser can address:

  • T1078 (Valid Accounts) – login_success anomalies and off-hours access
  • T1110 (Brute Force) – repeated login_failure events per actor
  • T1539 (Steal Web Session Cookie) – user_signed_out_due_to_suspicious_session_cookie

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/GoogleWorkspaceReports.json
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspaceLogins/ASimAuthenticationGoogleWorkspaceLogins.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspaceLogins/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspaceLogins/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspaceLogins/vimAuthenticationGoogleWorkspaceLogins.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationGoogleWorkspaceLogins.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationGoogleWorkspaceLogins.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationGoogleWorkspaceLogins.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationGoogleWorkspaceLogins.yaml
Parsers/ASimAuthentication/Tests/Google_Google Workspace_ASimAuthentication_DataTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_ASimAuthentication_SchemaTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_vimAuthentication_DataTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_vimAuthentication_SchemaTest.csv
Sample Data/ASIM/Google_Google Workspace_Authentication_IngestedLogs.csv