Google Workspace user account signed out due to suspicious session cookie
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects Google Workspace login service events where Google terminates a session based on suspicious session cookie activity.
Strategy
Monitoring of Google Workspace login audit telemetry for user_signed_out_due_to_suspicious_session_cookie on the login service, grouped by the affected mailbox in @event.parameters.affected_email_address. The signal originates from Google’s session integrity detection rather than an administrator-initiated revoke.
Triage and response
- Contact the user at
{{@event.parameters.affected_email_address}} to confirm whether they were using Google services at the event time and whether they observed unexpected devices or sign-out prompts. - Review recent sign-in history, device registrations, and OAuth application access for that mailbox for unfamiliar locations, browsers, or mobile clients.
- Check neighboring security findings for the same account, including password resets, recovery changes, forwarding rules, or new third-party application grants.
- Determine whether travel, VPN use, or shared workstations could explain session anomalies before closing the review as expected behavior.
