detection.wiki

Detection rules › YARA-L

sap security audit log user created deleted or unlocked

Severity
medium
Time window
59m
Match by
sid, user
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Detects when an SAP user is created, deleted, or unlocked

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1136 Create Account

Rule body yaral

/*
 * Copyright 2026 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule sap_security_audit_log_user_created_deleted_or_unlocked {

  meta:
    author = "Google Cloud Security"
    description = "Detects when an SAP user is created, deleted, or unlocked"
    severity = "Medium"
    tactic = "TA0003"
    technique = "T1136"

  events:
    $e.metadata.log_type = "SAP_SECURITY_AUDIT"

    $e.additional.fields["msg_1"] = /^AU7$|^AU8$|^AU9$|^AUA$/ nocase

    $user = $e.principal.user.userid
    $sid = $e.target.application

    //exclusions
    not $user in %sap_admin_users.user

  match:
    $user, $sid over 59m

  outcome:
    $risk_score = 75
    $target_sid = array_distinct($sid)
    $description = array_distinct($e.metadata.description)
    $terminal = array_distinct($e.principal.hostname)
    $message_ids = array_distinct($e.additional.fields["msg_1"])
    $target_user = array_distinct($e.additional.fields["param1_1"])
    $t_code = array_distinct($e.security_result.detection_fields["slgtc_1"])
    $TXSUBCLSID = array_distinct($e.security_result.summary)
    $system = array_distinct($e.target.application)
    $instance = array_distinct($e.target.resource.name)

  condition:
    $e
}

Detection logic

Fires when at least one $e event in the 59m window.

Events

$e

  • metadata.log_type = "SAP_SECURITY_AUDIT"
  • additional.fields["msg_1"] matches "^AU7$|^AU8$|^AU9$|^AUA$"
  • principal.user.userid in "%sap_admin_users.user"

Correlation

Match key
$sid, $user
Within
59m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_score75
target_sidarray_distinct($sid)
descriptionarray_distinct($e.metadata.description)
terminalarray_distinct($e.principal.hostname)
message_idsarray_distinct($e.additional.fields["msg_1"])
target_userarray_distinct($e.additional.fields["param1_1"])
t_codearray_distinct($e.security_result.detection_fields["slgtc_1"])
TXSUBCLSIDarray_distinct($e.security_result.summary)
systemarray_distinct($e.target.application)
instancearray_distinct($e.target.resource.name)