For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-qd2.md. A documentation index is available at /llms.txt.

Google Workspace user account signed out due to suspicious session cookie

This rule is part of a beta feature. To learn more, contact Support.
gsuite

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects Google Workspace login service events where Google terminates a session based on suspicious session cookie activity.

Strategy

Monitoring of Google Workspace login audit telemetry for user_signed_out_due_to_suspicious_session_cookie on the login service, grouped by the affected mailbox in @event.parameters.affected_email_address. The signal originates from Google’s session integrity detection rather than an administrator-initiated revoke.

Triage and response

  • Contact the user at {{@event.parameters.affected_email_address}} to confirm whether they were using Google services at the event time and whether they observed unexpected devices or sign-out prompts.
  • Review recent sign-in history, device registrations, and OAuth application access for that mailbox for unfamiliar locations, browsers, or mobile clients.
  • Check neighboring security findings for the same account, including password resets, recovery changes, forwarding rules, or new third-party application grants.
  • Determine whether travel, VPN use, or shared workstations could explain session anomalies before closing the review as expected behavior.