SAP LogServ - HANA DB - Assign Admin Authorizations
| Id | 4981469b-8618-43a7-b44c-5744594fa494 |
| Rulename | SAP LogServ - HANA DB - Assign Admin Authorizations |
| Description | Identifies admin privileges/roles assignment. Source Action: Assign a user with any Admin role / privileges. *Data Sources: SAP LogServ - HANA DB (Syslog)* |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Required data connectors | SAPLogServ |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml |
| Version | 1.0.0 |
| Arm template | 4981469b-8618-43a7-b44c-5744594fa494.json |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "GRANT PRIVILEGE"
and privilege_name__col_17 contains "ADMIN"
| extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'
description: |
Identifies admin privileges/roles assignment.
Source Action: Assign a user with any Admin role / privileges.
*Data Sources: SAP LogServ - HANA DB (Syslog)*
alertDetailsOverride:
alertDescriptionFormat: |
{{comment__col_27}}
alertDisplayNameFormat: SAP LogServ - HANA DB - Assign Admin Authorizations
triggerThreshold: 0
queryFrequency: 10m
name: SAP LogServ - HANA DB - Assign Admin Authorizations
id: 4981469b-8618-43a7-b44c-5744594fa494
queryPeriod: 1h
query: |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "GRANT PRIVILEGE"
and privilege_name__col_17 contains "ADMIN"
| extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'
customDetails:
SAP_User: session_user__col_14
relevantTechniques: []
tactics:
- PrivilegeEscalation
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml
version: 1.0.0
entityMappings:
- fieldMappings:
- identifier: AppId
columnName: sid__col_3
- identifier: InstanceName
columnName: database_name__col_6
entityType: CloudApplication
- fieldMappings:
- identifier: FullName
columnName: hostname__col_2
entityType: Host
- fieldMappings:
- identifier: Address
columnName: client_ip_address__col_7
entityType: IP
triggerOperator: gt
requiredDataConnectors:
- connectorId: SAPLogServ
dataTypes:
- SAPLogServ_CL
status: Available
kind: Scheduled
eventGroupingSettings:
aggregationKind: SingleAlert
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4981469b-8618-43a7-b44c-5744594fa494')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4981469b-8618-43a7-b44c-5744594fa494')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{comment__col_27}}\n",
"alertDisplayNameFormat": "SAP LogServ - HANA DB - Assign Admin Authorizations"
},
"alertRuleTemplateName": "4981469b-8618-43a7-b44c-5744594fa494",
"customDetails": {
"SAP_User": "session_user__col_14"
},
"description": "Identifies admin privileges/roles assignment.\n\nSource Action: Assign a user with any Admin role / privileges.\n\n*Data Sources: SAP LogServ - HANA DB (Syslog)*\n",
"displayName": "SAP LogServ - HANA DB - Assign Admin Authorizations",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "sid__col_3",
"identifier": "AppId"
},
{
"columnName": "database_name__col_6",
"identifier": "InstanceName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "hostname__col_2",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "client_ip_address__col_7",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml",
"query": "let AuditTimeAgo = 60m;\nSAPLogServ_CL\n| where TimeGenerated >= ago(AuditTimeAgo)\n| where clz_subdir == \"hanaaudit\"\n| extend raw_split = split(Raw, \";\")\n| extend\n event_timestamp__col_0 = tostring(raw_split[0]), \n service_name__col_1 = tostring(raw_split[1]), \n hostname__col_2 = tostring(raw_split[2]), \n sid__col_3 = tostring(raw_split[3]), \n instance_number__col_4 = tostring(raw_split[4]), \n port_number__col_5 = tostring(raw_split[5]), \n database_name__col_6 = tostring(raw_split[6]), \n client_ip_address__col_7 = tostring(raw_split[7]), \n client_name__col_8 = tostring(raw_split[8]), \n client_process_id__col_9 = tostring(raw_split[9]), \n client_port_number__col_10 = tostring(raw_split[10]), \n policy_name__col_11 = tostring(raw_split[11]), \n audit_level__col_12 = tostring(raw_split[12]), \n audit_action__col_13 = tostring(raw_split[13]), \n session_user__col_14 = tostring(raw_split[14]), \n target_schema__col_15 = tostring(raw_split[15]), \n target_object__col_16 = tostring(raw_split[16]), \n privilege_name__col_17 = tostring(raw_split[17]), \n grantable__col_18 = tostring(raw_split[18]), \n role_name__col_19 = tostring(raw_split[19]), \n target_principal__col_20 = tostring(raw_split[20]), \n action_status__col_21 = tostring(raw_split[21]), \n component__col_22 = tostring(raw_split[22]), \n section__col_23 = tostring(raw_split[23]), \n parameter__col_24 = tostring(raw_split[24]), \n old_value__col_25 = tostring(raw_split[25]), \n new_value__col_26 = tostring(raw_split[26]), \n comment__col_27 = tostring(raw_split[27]), \n executed_statement__col_28 = tostring(raw_split[28]), \n session_id__col_29 = tostring(raw_split[29]), \n application_user_name__col_30 = tostring(raw_split[30]), \n role_schema_name__col_31 = tostring(raw_split[31]), \n grantee_schema_name__col_32 = tostring(raw_split[32]), \n origin_database_name__col_33 = tostring(raw_split[33]), \n origin_user_name__col_34 = tostring(raw_split[34]), \n xs_application_user_name__col_35 = tostring(raw_split[35]), \n application_name__col_36 = tostring(raw_split[36]), \n statement_user_name__col_37 = tostring(raw_split[37]), \n create_time__col_38 = tostring(raw_split[38]), \n xsa_message_ip__col_39 = tostring(raw_split[39]), \n xsa_tenant__col_40 = tostring(raw_split[40]), \n xsa_uuid__col_41 = tostring(raw_split[41]), \n xsa_channel__col_42 = tostring(raw_split[42]), \n xsa_attachment_id__col_43 = tostring(raw_split[43]), \n xsa_attachment_name__col_44 = tostring(raw_split[44]), \n xsa_organization_id__col_45 = tostring(raw_split[45]), \n xsa_space_id__col_46 = tostring(raw_split[46]), \n xsa_instance_id__col_47 = tostring(raw_split[47]), \n xsa_binding_id__col_48 = tostring(raw_split[48]), \n xsa_object__col_49 = tostring(raw_split[49]), \n xsa_data_subject__col_50 = tostring(raw_split[50])\n| where \n audit_action__col_13 =~ \"GRANT PRIVILEGE\"\n and privilege_name__col_17 contains \"ADMIN\"\n| extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}