What Changed
Two new ASIM Authentication parsers added:
- ASimAuthenticationGoogleWorkspaceLogins (full/unfiltered)
- vimAuthenticationGoogleWorkspaceLogins (filtered/parameterised)
Both are registered in the top-level ASimAuthentication and imAuthentication union parsers (version bumped to 0.2.18), making Google Workspace Logins data available to any detection or hunting query that references imAuthentication or ASim_Authentication*.
Parser Impact
Schema: ASIM Authentication (version 0.1.4) Source table: GoogleWorkspaceReports (ingested via CCF) Filter: IdApplicationName == login and EventType in (login, logout)
Event coverage – EventName values normalised:
| EventName | Normalised EventType | Normalised EventResult |
|---|---|---|
| login_success | Logon | Success |
| login_failure | Logon | Failure |
| logout | Logoff | Success |
| risky_sensitive_action_allowed | Logon | Success |
| risky_sensitive_action_blocked | Logon | Failure |
| suspicious_login | Logon | Failure |
| suspicious_login_less_secure_app | Logon | Failure |
| suspicious_programmatic_login | Logon | Failure |
| user_signed_out_due_to_suspicious_session_cookie | Logoff | Success |
Key field mappings:
- TargetUsername <- ActorEmail (UPN type)
- TargetUserId <- ActorProfileId
- SrcGeoCountry <- NetworkInfoRegionCode
- LogonMethod – derives Multi factor authentication when any MFA challenge method is present (security_key, passkey, google_prompt, backup_code, etc.)
- LogonProtocol – maps SAML and OIDC challenge methods to respective protocol strings
- EventResultDetails – flags policy violations for suspicious/blocked events
This is a net-new parser; prior to this PR, imAuthentication returned no rows for data ingested via the Google Workspace Reports CCF connector. Any ASIM-based detection relying on imAuthentication had a blind spot for Google Workspace identity events.
MITRE Coverage
No MITRE techniques are declared in the parser YAML. Detections built on this parser can address:
- T1078 (Valid Accounts) – login_success anomalies and off-hours access
- T1110 (Brute Force) – repeated login_failure events per actor
- T1539 (Steal Web Session Cookie) – user_signed_out_due_to_suspicious_session_cookie
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/GoogleWorkspaceReports.json
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspaceLogins/ASimAuthenticationGoogleWorkspaceLogins.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspaceLogins/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspaceLogins/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspaceLogins/vimAuthenticationGoogleWorkspaceLogins.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationGoogleWorkspaceLogins.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationGoogleWorkspaceLogins.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationGoogleWorkspaceLogins.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationGoogleWorkspaceLogins.yaml
Parsers/ASimAuthentication/Tests/Google_Google Workspace_ASimAuthentication_DataTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_ASimAuthentication_SchemaTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_vimAuthentication_DataTest.csv
Parsers/ASimAuthentication/Tests/Google_Google Workspace_vimAuthentication_SchemaTest.csv
Sample Data/ASIM/Google_Google Workspace_Authentication_IngestedLogs.csv