This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Why Aren’t Google Workspace Failed Logins Logging as Expected?

Posted on 03-03-2025 01:57 AM
OrCHUK
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hey everyone,
We've successfully integrated the WORKSPACE ACTIVITIES feed into our SIEM, and it appears to be valid. 

The issue is that we can’t properly simulate login failures, and we don’t fully understand how USER_LOGIN vs. USER_RESOURCE_ACCESS logs behave.

Test scenario:

1. Went to the Google Workspace login page.
2. Entered my organization email.
3. Entered the wrong password 4-5 times.
4. Successfully logged in after entering the correct password.

Problem: When searching in SIEM for my email within that time window, I found no logs related to failed or successful logins. The first log I saw was a USER_RESOURCE_ACCESS event, but no failed login attempts were recorded. Example of the first log I found:

"{
"metadata.event_type": "USER_RESOURCE_ACCESS",
"metadata.product_event_type": "authorize",
"principal.user.email_addresses[0]": "<user_email>",
"principal.ip_geo_artifact[0].ip": "<user_ip_address>"
}"

However, I do see USER_LOGIN logs for other users and even for myself at different times, but I can’t figure out when they are triggered and when they are not.

Has anyone successfully simulated failed logins and seen them in SecOps SIEM?

Any insights would be greatly appreciated 🙂

0 1 168
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

This query returns failed Workspace logins for me:

metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.event_type = "USER_LOGIN"
metadata.product_event_type = "login_failure"
Top Solution Authors
View all