Pathlock_TDnR_CL
| where DataSource == "TABLE_UTILITY"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
tactics:
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- Pathlock_TDnR_CL
connectorId: Pathlock_TDnR
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AnyAlert
createIncident: true
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c69
severity: High
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
query: |
Pathlock_TDnR_CL
| where DataSource == "TABLE_UTILITY"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_UTILITY.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Pathlock TDnR - DDIC Table Utility Changes (SE14)
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1562
description: Detects changes made using the DDIC table utility tool SE14 in SAP, forwarded by Pathlock Threat Detection and Response. SE14 operations can delete or restructure database tables, making this one of the highest-risk actions an SAP user can perform - often used to destroy audit trails or manipulate historical data.
triggerOperator: gt
