Skip to main content

Hi Team,

Am new to platform am trying to write a Yara-L logic for Detect when a privileged user successfully authenticates from a location, device, or ASN that has not been used by any other privileged account in the past 7 days

Thanks

Hi ​@Austin123 , An easy version will be to have Rule1 feeding  the list of the locations, devices and ASNs successfully authenticated from in a data table with TTL 7 days, and Rule2 to alert on ANY successful authentication that have no attributes from this data table, AND optionally feed the table with the new location/device/ASN triplet -or let the SOAR handle this in case of legitimate access-.

 

Could you share some more info like the cloud platform rule so that I could build the rule as exact as possible ?

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.