Pathlock_TDnR_CL
| where DataSource == "J2EE_SEC_AUD_LOG"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- Discovery
status: Available
relevantTechniques:
- T1082
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
dataTypes:
- Pathlock_TDnR_CL
queryFrequency: 1h
severity: Medium
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AnyAlert
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |
Pathlock_TDnR_CL
| where DataSource == "J2EE_SEC_AUD_LOG"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
description: Detects events from the SAP J2EE (Java) security audit log, forwarded by Pathlock Threat Detection and Response. Security audit events from the Java stack may reveal authentication failures, authorization violations, or exploitation attempts targeting SAP NetWeaver Application Server Java.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c36
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_J2EE_SEC_AUD_LOG.yaml
name: Pathlock TDnR - J2EE Security Audit Events
