Pathlock_TDnR_CL
| where DataSource == "HANA_DBCON_CONNECT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- LateralMovement
status: Available
relevantTechniques:
- T1021
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
dataTypes:
- Pathlock_TDnR_CL
queryFrequency: 1h
severity: Medium
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AnyAlert
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |
Pathlock_TDnR_CL
| where DataSource == "HANA_DBCON_CONNECT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
description: Detects security events from HANA standalone database connections via DBCON in SAP, forwarded by Pathlock Threat Detection and Response. Unauthorized DBCON connections allow direct database access and may be used for lateral movement or to bypass SAP application-layer controls.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c28
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_DBCON_CONNECT.yaml
name: Pathlock TDnR - HANA Standalone DB Connection Events
