Detection rules › YARA-L
sap impossible travel
Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts |
| Privilege Escalation | T1078 Valid Accounts |
| Stealth | T1078 Valid Accounts |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4624 | An account was successfully logged on. |
| Security-Auditing | Event ID 4625 | An account failed to log on. |
| Security-Auditing | Event ID 4648 | A logon was attempted using explicit credentials. |
Rule body yaral
/*
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule sap_impossible_travel {
meta:
author = "Google Cloud Security"
description = "Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft."
severity = "medium"
tactic = "TA0006"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.metadata.event_type = "USER_LOGIN" or
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/
)
$e.principal.ip_geo_artifact.location.country_or_region != ""
$country = $e.principal.ip_geo_artifact.location.country_or_region
$state = $e.principal.ip_geo_artifact.location.state
$user = $e.principal.user.userid
match:
$user over 1h
outcome:
$countries = array_distinct($country)
$states = array_distinct($state)
$count_of_countries = count_distinct($country)
$count_of_states = count_distinct($state)
$risk_score = if(count_distinct($country) > 1, 30, 0) + if(count_distinct($state) > 2, 30, 0) + 30
$network_carrier_name = array_distinct($e.principal.ip_geo_artifact.network.carrier_name)
$networn_dns_domain = array_distinct($e.principal.ip_geo_artifact.network.dns_domain)
$network_org = array_distinct($e.principal.ip_geo_artifact.network.organization_name)
$sap_instance = array_distinct($e.target.resource.name)
condition:
#country >= 2 or #state >= 2
}
Detection logic
Fires when $country occurs at least 2 times in the 1h window or $state occurs at least 2 times in the 1h window.
Events
$e
metadata.log_type = "SAP_SECURITY_AUDIT"additional.fields["msg_1"] matches "^AU1$|^AU5$"principal.ip_geo_artifact.location.country_or_region is not null
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
countries | array_distinct($country) |
states | array_distinct($state) |
count_of_countries | count_distinct($country) |
count_of_states | count_distinct($state) |
risk_score | if(count_distinct($country) > 1, 30, 0) + if(count_distinct($state) > 2, 30, 0) + 30 |
network_carrier_name | array_distinct($e.principal.ip_geo_artifact.network.carrier_name) |
networn_dns_domain | array_distinct($e.principal.ip_geo_artifact.network.dns_domain) |
network_org | array_distinct($e.principal.ip_geo_artifact.network.organization_name) |
sap_instance | array_distinct($e.target.resource.name) |