SAP LogServ - HANA DB - Assign Admin Authorizations
| Id | 4981469b-8618-43a7-b44c-5744594fa494 |
| Rulename | SAP LogServ - HANA DB - Assign Admin Authorizations |
| Description | Identifies admin privileges/roles assignment. Source Action: Assign a user with any Admin role / privileges. *Data Sources: SAP LogServ - HANA DB (Syslog)* |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Required data connectors | SAPLogServ |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml |
| Version | 1.0.0 |
| Arm template | 4981469b-8618-43a7-b44c-5744594fa494.json |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "GRANT PRIVILEGE"
and privilege_name__col_17 contains "ADMIN"
| extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'
alertDetailsOverride:
alertDescriptionFormat: |
{{comment__col_27}}
alertDisplayNameFormat: SAP LogServ - HANA DB - Assign Admin Authorizations
description: |
Identifies admin privileges/roles assignment.
Source Action: Assign a user with any Admin role / privileges.
*Data Sources: SAP LogServ - HANA DB (Syslog)*
kind: Scheduled
tactics:
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SAPLogServ
dataTypes:
- SAPLogServ_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml
severity: High
name: SAP LogServ - HANA DB - Assign Admin Authorizations
customDetails:
SAP_User: session_user__col_14
triggerThreshold: 0
queryPeriod: 1h
query: |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "GRANT PRIVILEGE"
and privilege_name__col_17 contains "ADMIN"
| extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'
relevantTechniques: []
id: 4981469b-8618-43a7-b44c-5744594fa494
queryFrequency: 10m
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: sid__col_3
identifier: AppId
- columnName: database_name__col_6
identifier: InstanceName
- entityType: Host
fieldMappings:
- columnName: hostname__col_2
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: client_ip_address__col_7
identifier: Address