Skip to main content
Solved

Google SecOps Rules for Check user has logged in using a different OS within the past 30 days.

  • February 4, 2026
  • 2 replies
  • 40 views
Dome
Forum|alt.badge.img+4

Hi everyone,

I’m new to Google SecOps and currently in the learning phase.
I’m working on a use case where I need to detect if the same user logs in with different operating systems (OS) within the last 30 days.

Can you guy help me write rule to detect this scenario. Now im getting log from Azure AD using : 

  $e.network.http.user_agent = $http

  $e.principal.platform  = $platform

  $e.target.user.userid = $username

ีIm Using principal.platform as OS but note really sure where to go first. 

Thank you in advance for all the advice.

Best answer by Dome

You can track users logging in from multiple OSes by aggregating events per user over 30 days. Use principal.platform for OS and $username for identity. Group events by user, then check if more than one unique OS appears. In pseudocode:



for each user in last 30 days:
    get unique principal.platform values
    if count > 1:
        alert "User logged in from multiple OS"



Make sure to normalize OS names and handle missing principal.platform values to avoid false negatives.

 

Thank you.

I am currently applying and using YARA-L with the following rule:


  events:

    $login.metadata.event_type = "USER_LOGIN"

    $login.target.user.userid = $user

    $login.principal.platform = $os

    $login.target.user.user_display_name = $user_display_name

  match:

    $user over 14d

  outcome:

    $os_count = count_distinct($os)

    $os_list = array_distinct($os)

  condition:

    $login and $os_count > 1

 

At the moment, I am stuck on how to extend the detection window from 14 days to 30 days.

From my understanding, Google SecOps may have a limitation where the match window can only be defined up to 14 days.
Is this limitation correct, or am I misunderstanding the capability?

If the 14-day window is indeed the maximum, are there any alternative approaches or recommended methods to detect this behavior over a longer period (for example, 30 days)?
Do “metrics” going to help ?
 

Thank you in advance for your guidance.

    2 replies

    Zorone Gimmy
    Forum|alt.badge.img+2
    • Zorone Gimmy
    • New Member
    • February 4, 2026

    You can track users logging in from multiple OSes by aggregating events per user over 30 days. Use principal.platform for OS and $username for identity. Group events by user, then check if more than one unique OS appears. In pseudocode:



    for each user in last 30 days:
        get unique principal.platform values
        if count > 1:
            alert "User logged in from multiple OS"



    Make sure to normalize OS names and handle missing principal.platform values to avoid false negatives.

    Dome
    Forum|alt.badge.img+4
    • DomeBronze 1
    • Author
    • Bronze 1
    • Answer
    • February 5, 2026

    You can track users logging in from multiple OSes by aggregating events per user over 30 days. Use principal.platform for OS and $username for identity. Group events by user, then check if more than one unique OS appears. In pseudocode:



    for each user in last 30 days:
        get unique principal.platform values
        if count > 1:
            alert "User logged in from multiple OS"



    Make sure to normalize OS names and handle missing principal.platform values to avoid false negatives.

     

    Thank you.

    I am currently applying and using YARA-L with the following rule:


      events:

        $login.metadata.event_type = "USER_LOGIN"

        $login.target.user.userid = $user

        $login.principal.platform = $os

        $login.target.user.user_display_name = $user_display_name

      match:

        $user over 14d

      outcome:

        $os_count = count_distinct($os)

        $os_list = array_distinct($os)

      condition:

        $login and $os_count > 1

     

    At the moment, I am stuck on how to extend the detection window from 14 days to 30 days.

    From my understanding, Google SecOps may have a limitation where the match window can only be defined up to 14 days.
    Is this limitation correct, or am I misunderstanding the capability?

    If the 14-day window is indeed the maximum, are there any alternative approaches or recommended methods to detect this behavior over a longer period (for example, 30 days)?
    Do “metrics” going to help ?
     

    Thank you in advance for your guidance.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.