Pathlock_TDnR_CL
| where DataSource == "ICF_CHANGES"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- Persistence
status: Available
relevantTechniques:
- T1505
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
dataTypes:
- Pathlock_TDnR_CL
queryFrequency: 1h
severity: High
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AnyAlert
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |
Pathlock_TDnR_CL
| where DataSource == "ICF_CHANGES"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
description: Detects changes to SAP Internet Communication Framework (ICF) web service configuration, forwarded by Pathlock Threat Detection and Response. Unauthorized ICF changes may expose new attack surfaces, enable access to sensitive OData or SOAP services, or re-enable previously disabled dangerous services.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c32
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ICF_CHANGES.yaml
name: Pathlock TDnR - ICF Web Service Changes
