Pathlock_TDnR_CL
| where DataSource == "SAST_DO"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
tactics:
- Exfiltration
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- Pathlock_TDnR_CL
connectorId: Pathlock_TDnR
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AnyAlert
createIncident: true
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c51
severity: Medium
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
query: |
Pathlock_TDnR_CL
| where DataSource == "SAST_DO"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_DO.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Pathlock TDnR - SAP Download Observer Events
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1048
description: Detects download events captured by the Pathlock DownLoad Observer in SAP, forwarded to Microsoft Sentinel. Unusual download patterns may indicate bulk data exfiltration, unauthorized extraction of sensitive SAP data, or insider threat activity involving large-scale data downloads.
triggerOperator: gt
