Google SecOps Rules for Check user has logged in using a different OS within the past 30 days.

Question

Hi everyone,I’m new to Google SecOps and currently in the learning phase.I’m working on a use case where I need to detect if the same user logs in with different operating systems (OS) within the last 30 days.Can you guy help me write rule to detect this scenario. Now im getting log from Azure AD using :   $e.network.http.user_agent = $http  $e.principal.platform  = $platform  $e.target.user.userid = $usernameีIm Using principal.platform as OS but note really sure where to go first. Thank you in advance for all the advice.

Zorone Gimmy · Answer

You can track users logging in from multiple OSes by aggregating events per user over 30 days. Use principal.platform for OS and $username for identity. Group events by user, then check if more than one unique OS appears. In pseudocode:



for each user in last 30 days:
    get unique principal.platform values
    if count > 1:
        alert "User logged in from multiple OS"

Make sure to normalize OS names and handle missing principal.platform values to avoid false negatives.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded