Pathlock_TDnR_CL
| where DataSource == "RAL_AUDIT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- Collection
status: Available
relevantTechniques:
- T1213
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
dataTypes:
- Pathlock_TDnR_CL
queryFrequency: 1h
severity: Medium
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AnyAlert
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |
Pathlock_TDnR_CL
| where DataSource == "RAL_AUDIT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
description: Detects SAP Read Access Logging (RAL) audit changelog events, forwarded by Pathlock Threat Detection and Response. RAL audit events capture changes to which sensitive data fields are being logged, and modifications may indicate attempts to disable read access monitoring for sensitive data.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c43
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_AUDIT.yaml
name: Pathlock TDnR - SAP Read Access Logging Audit
