Skip to main content
Question

Need help to get this rule - ASN, etc

  • October 13, 2025
  • 2 replies
  • 69 views
Austin123
Forum|alt.badge.img+4

Hi Team,

Am new to platform am trying to write a Yara-L logic for Detect when a privileged user successfully authenticates from a location, device, or ASN that has not been used by any other privileged account in the past 7 days

Thanks

mdanowar

2 replies

AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • October 13, 2025

Hi ​@Austin123 , An easy version will be to have Rule1 feeding  the list of the locations, devices and ASNs successfully authenticated from in a data table with TTL 7 days, and Rule2 to alert on ANY successful authentication that have no attributes from this data table, AND optionally feed the table with the new location/device/ASN triplet -or let the SOAR handle this in case of legitimate access-.

 

Could you share some more info like the cloud platform rule so that I could build the rule as exact as possible ?

kentphelps
vaskenh
SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • October 17, 2025

There are likely ways to optimise this and enhance, but this should get you started.

I’m conscious there is a timing condition, where ‘export’ could run before ‘check’, though I think this is unlikely.  You could play with a few ways to stop this: run frequency, only exporting ASN to approve list where time was <1 hour ago (so the checking new logins is always newer), over alerting to SOAR and having a playbook check timestamps with customisable logic, etc. 



Create Data Table


Create a Rule to export known ASN to data table

rule privuser_asn_export {
  meta:
    author = "analyst123"
    description = "8:00 AM local time"
    severity = "Medium"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    $login.principal.ip_geo_artifact.network.asn != ""
    $login.principal.ip_geo_artifact.network.asn = $loginasn
    $login.target.user.email_addresses = $loginuser

  outcome:
    $datatableasn = arrays.join_string(array_distinct($loginasn))
    $datatableuser = arrays.join_string(array_distinct($loginuser))
  condition:
    $login

  export:
    %privuser_asn.write_row(
        asn:$datatableasn,
        user:$datatableuser
    )    
}

Then a different Rule to check new logins

rule privuser_asn_check {
  meta:
    author = "analyst123"
    description = "8:00 AM local time"
    severity = "Medium"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    $login.principal.ip_geo_artifact.network.asn != ""
    $login.principal.ip_geo_artifact.network.asn = $loginasn
    not $loginasn in %privuser_asn.asn
    $login.target.user.email_addresses = $loginuser

  outcome:
    $datatableasn = arrays.join_string(array_distinct($loginasn))
    $datatableuser = arrays.join_string(array_distinct($loginuser))

  condition:
    $login


}

 

matthewnichols
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.