SAP ETD - Login from unexpected network
| Id | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f |
| Rulename | SAP ETD - Login from unexpected network |
| Description | Identifies logons from an unexpected network. Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks. networks can be maintained in the “SAP - Networks” watchlist of the Microsoft Sentinel Solution for SAP package. *Data Sources: SAP Enterprise Thread Detection Solution - Alerts* |
| Severity | Medium |
| Required data connectors | SAPETDAlerts |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml |
| Version | 1.0.2 |
| Arm template | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f.json |
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @"/(\d{3})$";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| where isnotempty(extracted_user_ip)
| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted
| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor
| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
query: |
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @"/(\d{3})$";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| where isnotempty(extracted_user_ip)
| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted
| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor
| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
Identifies logons from an unexpected network.
Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks.
networks can be maintained in the "SAP - Networks" watchlist of the Microsoft Sentinel Solution for SAP package.
*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*
id: 5dd72ebe-03ac-43ac-851b-68cfe5106e4f
name: SAP ETD - Login from unexpected network
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
requiredDataConnectors:
- dataTypes:
- SAPETDAlerts_CL
connectorId: SAPETDAlerts
status: Available
triggerThreshold: 0
queryPeriod: 30m
alertDetailsOverride:
alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
alertDescriptionFormat: |
{{PatternDescription}}
version: 1.0.2
tactics: []
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: AppId
columnName: extracted_sid
- identifier: InstanceName
columnName: extracted_instance_name
entityType: CloudApplication
- fieldMappings:
- identifier: FullName
columnName: extracted_instance_host
entityType: Host
- fieldMappings:
- identifier: Address
columnName: extracted_user_ip
entityType: IP
relevantTechniques: []
customDetails:
ETD_AlertNumber: AlertId
SAP_User: extracted_sap_user
severity: Medium
kind: Scheduled
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{PatternDescription}}\n",
"alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
},
"alertRuleTemplateName": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
"customDetails": {
"ETD_AlertNumber": "AlertId",
"SAP_User": "extracted_sap_user"
},
"description": "Identifies logons from an unexpected network.\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the networks.\nnetworks can be maintained in the \"SAP - Networks\" watchlist of the Microsoft Sentinel Solution for SAP package.\n\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*\n",
"displayName": "SAP ETD - Login from unexpected network",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "extracted_sid",
"identifier": "AppId"
},
{
"columnName": "extracted_instance_name",
"identifier": "InstanceName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "extracted_instance_host",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "extracted_user_ip",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
"query": "let regex_sid = @\"^([A-Z0-9]{3})/\"; \nlet regex_client = @\"/(\\d{3})$\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| where PatternName in (\"Logon from external with SAP standard users\",\"Access via unallowed IP Address\")\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| where isnotempty(extracted_user_ip)\n| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted\n| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor\n| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents\n| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT30M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}