detection.wiki

Detection rules › YARA-L

sap multi terminal logon

Severity
medium
Time window
15m
Match by
user
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts
PersistenceT1078 Valid Accounts
Privilege EscalationT1078 Valid Accounts
StealthT1078 Valid Accounts

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.

Rule body yaral

/*
 * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule sap_multi_terminal_logon {

  meta:
    author = "Google Cloud Security"
    description = "Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft."
    severity = "medium"
    tactic = "TA0006"
    technique = "T1078"

  events:
    $e.metadata.log_type = "SAP_SECURITY_AUDIT"
    (
        $e.metadata.event_type = "USER_LOGIN" or
        $e.additional.fields["msg_1"] = /^AU1$|^AU5$/
    )


    // Ensure we only check events that actually have a terminal/hostname recorded
    $e.principal.hostname != ""

    $terminal = $e.principal.hostname
    $user = $e.principal.user.userid

  match:
    // You can reduce this window to 15m or 30m if 1h is too broad for direct terminal switches
    $user over 15m

  outcome:
    $terminals = array_distinct($terminal)
    $count_of_terminals = count_distinct($terminal)
    // Give a high risk score if they switch terminals
    $risk_score = 60
    $sap_instance = array_distinct($e.target.resource.name)

  condition:
    // Trigger if the user is seen on 2 or more distinct terminals
    #terminal >= 2
}

Detection logic

Fires when $terminal occurs at least 2 times in the 15m window.

Events

$e USER_LOGIN (4624, 4625, 4648)

  • metadata.log_type = "SAP_SECURITY_AUDIT"
  • additional.fields["msg_1"] matches "^AU1$|^AU5$"
  • principal.hostname is not null

Correlation

Match key
$user
Within
15m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
terminalsarray_distinct($terminal)
count_of_terminalscount_distinct($terminal)
risk_score60
sap_instancearray_distinct($e.target.resource.name)