Pathlock_TDnR_CL
| where DataSource == "TABLE_UTILITY"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- DefenseEvasion
status: Available
relevantTechniques:
- T1562
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
dataTypes:
- Pathlock_TDnR_CL
queryFrequency: 1h
severity: High
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AnyAlert
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |
Pathlock_TDnR_CL
| where DataSource == "TABLE_UTILITY"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
description: Detects changes made using the DDIC table utility tool SE14 in SAP, forwarded by Pathlock Threat Detection and Response. SE14 operations can delete or restructure database tables, making this one of the highest-risk actions an SAP user can perform - often used to destroy audit trails or manipulate historical data.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c69
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_UTILITY.yaml
name: Pathlock TDnR - DDIC Table Utility Changes (SE14)
