Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@ebeahan to clarify. We have events for suspending users. We have events to identify compromised devices. This ticket appears to be asking for a filter that:
For the time range of successful logins (t1-t2), filter the login list by users who were suspended after t1. If the user was later unsuspended, still filter by the user.

@marc-gr mentioned that there is a is_suspicious flag on logins. Perhaps filtering by this flag is what the goal is?

@StacieClark-Elastic I don't recall what exactly prompted me to open this one. 😅

IIRC the two visualizations show the same information because the filter is the same. I expect the Compromised User visualization to have an additional filter. Maybe that's the is_suspicious flag @marc-gr mentioned.

Unfortunately, I don't have an environment with Google Workspace data to show an example for reference right now.

From this page: https://support.google.com/a/answer/7102416?hl=en
Examples of suspicious logins A user doesn't follow their usual sign-in pattern, such as a signing in from an unusual location. **There was a successful sign-in from a suspended user's account.** Note: You might also get an alert if a suspicious event occurs when a user is using Mail Fetcher to import mail from another Gmail account, because the messages are being fetched through Google servers.

Given that we don't have a company wide definition of what a "Compromised User" is, we could change the visualization title to "Suspicious Logins" or "Logins that are Suspicious" and add the filter for the is_suspicious flag

Given that we don't have a company wide definition of what a "Compromised User" is, we could change the visualization title to "Suspicious Logins" or "Logins that are Suspicious" and add the filter for the is_suspicious flag

I think that's reasonable. A login being flagged as suspicious doesn't mean it's compromised.

further investigation uncovered another type of login event which is a device login event. There is a flag called is_compromised on device logins. So this MAY show a successful login on a device that is compromised

Date | 2025-01-30T15:14:20-05:00
Device ID | device_id
Event | Account registration change
Description | user@domain account registered on  with device administrator privilege
User email | user@domain
Device type | Android
Device model |  
OS version |  
Policy name |  
Policy status code |  
Policy status |  
Windows OS edition |  
Failed password attempts | 0
Device compromised state |  
Device property |  
Device setting |  
Application SHA-256 hash |  
Application ID |  
Application state |  
New value |  
Old value |  
Account state | Registered
Register privilege | Device administrator
Device ownership |  
New device ID |  
Resource ID |
Serial number |  
iOS vendor ID |  
Domain |
Device compliance state |  
OS property |  
OS is outdated |  
Security patch is outdated |  
Has potentially harmful apps |  
Is compromised |