I am trying to write a rule for Google Workspace password resets initiated from a country that has not been seen in the last 30 days.
For some reason, the `first_seen` metric is malfunctioning (returning 0 even though the user has logged in from that country before).
Any tips?
$password_change.metadata.log_type = "WORKSPACE_ACTIVITY"
$password_change.metadata.product_name = "login"
$password_change.metadata.product_event_type = "password_edit"
$password_change.principal.ip_geo_artifact.location.country_or_region != ""
$user = $password_change.security_result.about.email
$country = $password_change.principal.ip_geo_artifact.location.country_or_region
match: $user, $country
outcome:
$first_seen_country = max(metrics.auth_attempts_success(
period:1d, window:30d,
metric:first_seen,
agg:max,
target.user.email_addresses:$user,
principal.ip_geo_artifact.location.country_or_region:$country))
condition:
$password_change and $first_seen_country = 0


