detection.wiki

Detection rules › YARA-L

sap security audit log configuration change

Severity
high
Time window
1h
Match by
sid, user
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Detects changes to the SAP Security Audit Log configuration. Monitoring message codes AUE, AUF, AUI, AUJ, FU0, and E05.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562 Impair Defenses

Rule body yaral

/*
 * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule sap_security_audit_log_configuration_change {

  meta:
    author = "Google Cloud Security"
    description = "Detects changes to the SAP Security Audit Log configuration. Monitoring message codes AUE, AUF, AUI, AUJ, FU0, and E05."
    severity = "High"
    tactic = "TA0005"
    technique = "T1562"

  events:
    $e.metadata.log_type = "SAP_SECURITY_AUDIT"

    $e.additional.fields["msg_1"] = /^AUE$|^AUF$|^AUI$|^AUJ$|^FU0$|^E05$/

    $user = $e.principal.user.userid
    $sid = $e.target.application

    not $user in %sap_admin_users.user

  match:
    $user, $sid over 1h

  outcome:
    $risk_score = 75
    $target_sid = array_distinct($sid)
    $description = array_distinct($e.metadata.description)
    $terminal = array_distinct($e.principal.hostname)
    $message_ids = array_distinct($e.additional.fields["msg_1"])
    $t_code = array_distinct($e.security_result.detection_fields["slgtc_1"])
    $TXSUBCLSID = array_distinct($e.security_result.summary)
    $system = array_distinct($e.target.application)
    $instance = array_distinct($e.target.resource.name)


  condition:
    $e
}

Detection logic

Fires when at least one $e event in the 1h window.

Events

$e

  • metadata.log_type = "SAP_SECURITY_AUDIT"
  • additional.fields["msg_1"] matches "^AUE$|^AUF$|^AUI$|^AUJ$|^FU0$|^E05$"
  • principal.user.userid in "%sap_admin_users.user"

Correlation

Match key
$sid, $user
Within
1h

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_score75
target_sidarray_distinct($sid)
descriptionarray_distinct($e.metadata.description)
terminalarray_distinct($e.principal.hostname)
message_idsarray_distinct($e.additional.fields["msg_1"])
t_codearray_distinct($e.security_result.detection_fields["slgtc_1"])
TXSUBCLSIDarray_distinct($e.security_result.summary)
systemarray_distinct($e.target.application)
instancearray_distinct($e.target.resource.name)