Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Pathlock TDnR - SAP Read Access Logging Data

Pathlock TDnR - SAP Read Access Logging Data

Back
Id2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c44
RulenamePathlock TDnR - SAP Read Access Logging Data
DescriptionDetects SAP Read Access Logging (RAL) data events capturing actual sensitive data access, forwarded by Pathlock Threat Detection and Response. RAL data events record when users access sensitive fields (e.g. salary data, personal information) and may indicate data harvesting or insider threat activity.
SeverityMedium
TacticsCollection
Exfiltration
TechniquesT1213
T1048
Required data connectorsPathlock_TDnR
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_DATA.yaml
Version1.0.0
Arm template2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c44.json
Deploy To Azure
Pathlock_TDnR_CL
| where DataSource == "RAL_DATA"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
          Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
          MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Bname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Hostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIp
tactics:
- Collection
- Exfiltration
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - Pathlock_TDnR_CL
  connectorId: Pathlock_TDnR
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails: []
    lookbackDuration: 5h
    groupByEntities: []
    groupByCustomDetails: []
    enabled: true
    matchingMethod: AnyAlert
  createIncident: true
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c44
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
query: |
  Pathlock_TDnR_CL
  | where DataSource == "RAL_DATA"
  | project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
            Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
            MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_DATA.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Pathlock TDnR - SAP Read Access Logging Data
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1213
- T1048
description: Detects SAP Read Access Logging (RAL) data events capturing actual sensitive data access, forwarded by Pathlock Threat Detection and Response. RAL data events record when users access sensitive fields (e.g. salary data, personal information) and may indicate data harvesting or insider threat activity.
triggerOperator: gt